之前测试一直都是在靶机上进行,在完善了差不多的插件之后无意间打开W13SCAN对本地搭建的emlog系统进行了被动扫描,结果挺出乎意料,找到了一些后台的SQL注入等漏洞,虽然影响不大,但毕竟是W13SCAN第一次测试发现的非预期漏洞,值得记录一下。
W13SCAN是被动+主动结合的扫描器,通过设置代理,将会自动分析流量以及根据插件检测相应漏洞。
扫描结果如下:
❤️ ( ⚫︎ー⚫︎ ) Woo,W13Scan~
/ \
/ ○ \ Version:0.1
/ / ヽ \
| / \ |
\Ԏ |イ
卜− ―イ
\ /\ /
︶ ︶
[2019-07-07 17:17:06] INFO Load plugin:25
[2019-07-07 17:17:06] INFO HTTPServer is running at address( 127.0.0.1 , 7778 )......
[2019-07-07 17:17:06] INFO Staring 10 threads
[js文件敏感内容匹配]
url http://emlog.demo/include/lib/js/jquery/jquery-1.7.1.js?v=5.3.1
info password:function
[JSONP寻找插件]
url http://www.emlog.net/services/messenger.php?v=5.3.1&callback=jQue
ry17107805987039919267_1562491029740&_=1562491029784
[js文件敏感内容匹配]
url http://emlog.demo/include/lib/js/jquery/jquery-1.7.1.js?
info password:function
[php 真实路径泄漏]
url http://emlog.demo/admin/?action%5B%5D=logout
[php 真实路径泄漏]
url http://emlog.demo/admin/index.php?action%5B%5D=phpinfo
[php 真实路径泄漏]
url http://emlog.demo/admin/write_log.php?gid=19&action%5B%5D=edit
[php 真实路径泄漏]
url http://emlog.demo/admin/attachment.php?logid=1&action%5B%5D=attli
b
[js文件敏感内容匹配]
url http://emlog.demo/admin/editor/lang/zh_CN.js?v=5.3.1
info http://www.kindsoft.net/license.php
[js文件敏感内容匹配]
url http://emlog.demo/admin/editor/lang/zh_CN.js?v=5.3.1
info luolonghao@gmail.com
[POST插件 基于报错SQL注入]
url http://emlog.demo/admin/save_log.php?action=edit
payload date=1536572397鎈'"\(
data {'title': '欢迎使用emlog', 'aaaaa-markdown-doc': '恭喜您成功安装了emlog,这是系统自
动生成的演示文章。编辑或者删除它,然后开始您的创作吧!aafe', 'content': '<p>恭喜您成功安装了emlog,这是系统自动生成的演示文章。编辑或
者删除它,然后开始您的创作吧!aafe</p>\r\n', 'as_logid': '1', 'tag': 'a', 'sort': '-1', 'postda
te': '2018-09-10+17:39:57', 'date': '1536572397鎈\'"\\(', 'excerpt': '', 'alias':
'', 'password': '', 'allow_remark': 'y', 'token': 'e5d1f89716f15c49abe216e4ef67
bd35', 'ishide': 'n', 'gid': '1', 'author': '1'}
dbms Unknown database
[POST插件 基于报错SQL注入]
url http://emlog.demo/admin/save_log.php?action=edit
payload allow_remark=y鎈'"\(
data {'title': '欢迎使用emlog', 'aaaaa-markdown-doc': '恭喜您成功安装了emlog,这是系统自
动生成的演示文章。编辑或者删除它,然后开始您的创作吧!aafe', 'content': '<p>恭喜您成功安装了emlog,这是系统自动生成的演示文章。编辑或
者删除它,然后开始您的创作吧!aafe</p>\r\n', 'as_logid': '1', 'tag': 'a', 'sort': '-1', 'postda
te': '2018-09-10+17:39:57', 'date': '1536572397', 'excerpt': '', 'alias': '', 'p
assword': '', 'allow_remark': 'y鎈\'"\\(', 'token': 'e5d1f89716f15c49abe216e4ef67
bd35', 'ishide': 'n', 'gid': '1', 'author': '1'}
dbms Unknown database
[POST插件 基于报错SQL注入]
url http://emlog.demo/admin/save_log.php?action=edit
payload ishide=n鎈'"\(
data {'title': '欢迎使用emlog', 'aaaaa-markdown-doc': '恭喜您成功安装了emlog,这是系统自
动生成的演示文章。编辑或者删除它,然后开始您的创作吧!aafe', 'content': '<p>恭喜您成功安装了emlog,这是系统自动生成的演示文章。编辑或
者删除它,然后开始您的创作吧!aafe</p>\r\n', 'as_logid': '1', 'tag': 'a', 'sort': '-1', 'postda
te': '2018-09-10+17:39:57', 'date': '1536572397', 'excerpt': '', 'alias': '', 'p
assword': '', 'allow_remark': 'y', 'token': 'e5d1f89716f15c49abe216e4ef67bd35',
'ishide': 'n鎈\'"\\(', 'gid': '1', 'author': '1'}
dbms Unknown database
[js文件敏感内容匹配]
url http://emlog.demo/admin/editor/kindeditor.js?v=5.3.1
info http://www.kindsoft.net/license.php
[php 真实路径泄漏]
url http://emlog.demo/admin/tag.php?tid=49&action%5B%5D=mod_tag
[php 真实路径泄漏]
url http://emlog.demo/admin/sort.php?sid=2&action%5B%5D=mod_sort
[php 真实路径泄漏]
url http://emlog.demo/admin/sort.php?sid=2&token=e5d1f89716f15c49abe2
16e4ef67bd35&action%5B%5D=del
[php 真实路径泄漏]
url http://emlog.demo/admin/sort.php?action=del&sid=2&token%5B%5D=e5d
1f89716f15c49abe216e4ef67bd35
[php 真实路径泄漏]
url http://emlog.demo/admin/comment.php?amp%3Bcid=2&action%5B%5D=edit
_comment
[php 真实路径泄漏]
url http://emlog.demo/admin/comment.php?amp%3Bid=2&action%5B%5D=hide
[php 真实路径泄漏]
url http://emlog.demo/admin/navbar.php?amp%3Bid=18&action%5B%5D=hide
[php 真实路径泄漏]
url http://emlog.demo/admin/navbar.php?amp%3Bnavid=69&action%5B%5D=mo
d
[php 真实路径泄漏]
url http://emlog.demo/admin/navbar.php?id=16&token=e5d1f89716f15c49ab
e216e4ef67bd35&action%5B%5D=del
[php 真实路径泄漏]
url http://emlog.demo/admin/navbar.php?action=del&id=16&token%5B%5D=e
5d1f89716f15c49abe216e4ef67bd35
[php 真实路径泄漏]
url http://emlog.demo/admin/link.php?linkid=144&token=e5d1f89716f15c4
9abe216e4ef67bd35&action%5B%5D=dellink
[php 真实路径泄漏]
url http://emlog.demo/admin/link.php?action=dellink&linkid=144&token%
5B%5D=e5d1f89716f15c49abe216e4ef67bd35
[php 真实路径泄漏]
url http://emlog.demo/admin/link.php?amp%3Blinkid=68&action%5B%5D=hid
e
[php 真实路径泄漏]
url http://emlog.demo/admin/page.php?action%5B%5D=new
[php 真实路径泄漏]
url http://emlog.demo/admin/page.php?id=6&action%5B%5D=mod
[php 真实路径泄漏]
url http://emlog.demo/admin/user.php?uid=2&action%5B%5D=edit
[POST插件 基于报错SQL注入]
url http://emlog.demo/admin/data.php?action=bakstart
payload table_box[]=emlog_attachment鎈'"\(
data {'table_box[]': 'emlog_attachment鎈\'"\\(', 'bakplace': 'server',
'token': 'e5d1f89716f15c49abe216e4ef67bd35'}
dbms MySQL database
[php 真实路径泄漏]
url http://emlog.demo/admin/plugin.php?plugin=emlog_markdown%2Femlog_
markdown.php&token=e5d1f89716f15c49abe216e4ef67bd35&action%5B%5D=inactive
[php 真实路径泄漏]
url http://emlog.demo/admin/plugin.php?action%5B%5D=install
[php 真实路径泄漏]
url http://emlog.demo/admin/template.php?action%5B%5D=install
[php 真实路径泄漏]
url http://emlog.demo/admin/template.php?tpl=default&side=1&token=e5d
1f89716f15c49abe216e4ef67bd35&action%5B%5D=usetpl
Plugin: JetBrans .idea 泄漏 time-out retry failed!3332 scanned in 266.89 seconds
[php 真实路径泄漏]
url http://emlog.demo/admin/comment.php?ip=127.0.0.1&token=e5d1f89716
f15c49abe216e4ef67bd35&action%5B%5D=delbyip
[php 真实路径泄漏]
url http://emlog.demo/admin/comment.php?action=delbyip&ip=127.0.0.1&t
oken%5B%5D=e5d1f89716f15c49abe216e4ef67bd35
[基于报错SQL注入]
url http://emlog.demo/admin/comment.php?action=delbyip&ip=127.0.0.1&t
oken=e5d1f89716f15c49abe216e4ef67bd35
payload ip=127.0.0.1鎈'"\(
[js文件敏感内容匹配]
url http://emlog.demo/content/templates/emlog_dux_f4.0//js/main.js?ve
r=4.9
info https://bugs.hacking8.com/cdn/1.php
[js文件敏感内容匹配]
url http://emlog.demo/content/templates/emlog_dux_f4.0//js/main.js?ve
r=4.9
info https://api.anotherhome.net/OwO/OwO.json
[js文件敏感内容匹配]
url http://emlog.demo/content/templates/emlog_dux_f4.0//js/main.js?
info https://bugs.hacking8.com/cdn/1.php
[js文件敏感内容匹配]
url http://emlog.demo/content/templates/emlog_dux_f4.0//js/main.js?
info https://api.anotherhome.net/OwO/OwO.json
严重一点的,发现了许多SQL注入漏洞,第一处是在后台保存博客的时候http://emlog.demo/admin/save_log.php?action=edit,date,allow_remark,ishide三个参数,后面通过源码分析,这其实是数据库设定了枚举类型,但是发送的payload不再预期内报错了,被扫描器抓到,虽然这处不算漏洞但是也发现了不同寻常地方,果然这款扫描器会自己挖洞了~~
第二处出现在了后台数据库备份的地方
[POST插件 基于报错SQL注入]
url http://emlog.demo/admin/data.php?action=bakstart
payload table_box[]=emlog_attachment鎈'"\(
data {'table_box[]': 'emlog_attachment鎈\'"\\(', 'bakplace': 'server',
'token': 'e5d1f89716f15c49abe216e4ef67bd35'}
dbms MySQL database
这次没有乌龙,真的就存在这个漏洞。
第三处在后台删除评论的地方
[基于报错SQL注入] url http://emlog.demo/admin/comment.php?action=delbyip&ip=127.0.0.1&t oken=e5d1f89716f15c49abe216e4ef67bd35 payload ip=127.0.0.1鎈'"\(
漏洞也真实存在,没有过滤这个参数。
然后通过逆向思维,可以发现这么几处有csrf的可能?
后面再下几套源码,带着它跑一跑,说不定会找到很多漏洞~
推特安全资讯监控.md
ERROR: Command errored out with exit status 1:
command: 'c:\python3\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\Administrator\\AppData\\Local\\Temp\\pip-install-hs5r161h\\cffi\\setup.py'"'"'; __file__='"'"'C:\\Users\\Administrator\\AppData\\Local\\Temp\\pip-install-hs5r161h\\cffi\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\Administrator\AppData\Local\Temp\pip-install-hs5r161h\cffi\pip-egg-info'
cwd: C:\Users\Administrator\AppData\Local\Temp\pip-install-hs5r161h\cffi\
Complete output (23 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Users\Administrator\AppData\Local\Temp\pip-install-hs5r161h\cffi\setup.py", line 127, in <module>
if sys.platform == 'win32' and uses_msvc():
File "C:\Users\Administrator\AppData\Local\Temp\pip-install-hs5r161h\cffi\setup.py", line 105, in uses_msvc
return config.try_compile('#ifndef _MSC_VER\n#error "not MSVC"\n#endif')
File "c:\python3\lib\distutils\command\config.py", line 225, in try_compile
self._compile(body, headers, include_dirs, lang)
File "c:\python3\lib\distutils\command\config.py", line 132, in _compile
self.compiler.compile([src], include_dirs=include_dirs)
File "c:\python3\lib\distutils\_msvccompiler.py", line 360, in compile
self.initialize()
File "c:\python3\lib\distutils\_msvccompiler.py", line 253, in initialize
vc_env = _get_vc_env(plat_spec)
File "c:\python3\lib\site-packages\setuptools\msvc.py", line 171, in msvc14_get_vc_env
return EnvironmentInfo(plat_spec, vc_min_ver=14.0).return_env()
File "c:\python3\lib\site-packages\setuptools\msvc.py", line 1075, in __init__
self.si = SystemInfo(self.ri, vc_ver)
File "c:\python3\lib\site-packages\setuptools\msvc.py", line 547, in __init__
vc_ver or self._find_latest_available_vs_ver())
File "c:\python3\lib\site-packages\setuptools\msvc.py", line 561, in _find_latest_available_vs_ver
raise distutils.errors.DistutilsPlatformError(
distutils.errors.DistutilsPlatformError: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.