Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
moonf1sh.github.io/2018/10/30/DedeCMS-V57-SQL注入/index.html
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
712 lines (291 sloc)
15.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html class="theme-next muse use-motion" lang=""> | |
| <head> | |
| <meta charset="UTF-8"/> | |
| <meta http-equiv="X-UA-Compatible" content="IE=edge" /> | |
| <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/> | |
| <meta name="theme-color" content="#222"> | |
| <meta http-equiv="Cache-Control" content="no-transform" /> | |
| <meta http-equiv="Cache-Control" content="no-siteapp" /> | |
| <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" /> | |
| <link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" /> | |
| <link href="/css/main.css?v=5.1.3" rel="stylesheet" type="text/css" /> | |
| <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.3"> | |
| <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.3"> | |
| <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.3"> | |
| <link rel="mask-icon" href="/images/logo.svg?v=5.1.3" color="#222"> | |
| <meta name="keywords" content="Hexo, NexT" /> | |
| <meta name="description" content="六月份提交给先知的漏洞,不过重复了 版本信息: 注入点:http://localhost/dedecms/v57/dede/co_do.php?clshash=true&amp;dopost=clear&amp;ids=* 根据我们hook的函数发现payload直接进入查询语句sleep(1)s"> | |
| <meta property="og:type" content="article"> | |
| <meta property="og:title" content="DedeCMS V57 SQL注入"> | |
| <meta property="og:url" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/index.html"> | |
| <meta property="og:site_name" content="Moonfish's blog"> | |
| <meta property="og:description" content="六月份提交给先知的漏洞,不过重复了 版本信息: 注入点:http://localhost/dedecms/v57/dede/co_do.php?clshash=true&amp;dopost=clear&amp;ids=* 根据我们hook的函数发现payload直接进入查询语句sleep(1)sleep(5)sqlmap测试定位到.\dede\co_do.php文件中当$ids和$cl"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/version.png"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/hook.png"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/sleep1.png"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/sleep2.png"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/sqlmap.png"> | |
| <meta property="og:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/code.png"> | |
| <meta property="og:updated_time" content="2018-10-30T15:40:39.807Z"> | |
| <meta name="twitter:card" content="summary"> | |
| <meta name="twitter:title" content="DedeCMS V57 SQL注入"> | |
| <meta name="twitter:description" content="六月份提交给先知的漏洞,不过重复了 版本信息: 注入点:http://localhost/dedecms/v57/dede/co_do.php?clshash=true&amp;dopost=clear&amp;ids=* 根据我们hook的函数发现payload直接进入查询语句sleep(1)sleep(5)sqlmap测试定位到.\dede\co_do.php文件中当$ids和$cl"> | |
| <meta name="twitter:image" content="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/version.png"> | |
| <script type="text/javascript" id="hexo.configurations"> | |
| var NexT = window.NexT || {}; | |
| var CONFIG = { | |
| root: '/', | |
| scheme: 'Muse', | |
| version: '5.1.3', | |
| sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false}, | |
| fancybox: true, | |
| tabs: true, | |
| motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}, | |
| duoshuo: { | |
| userId: '0', | |
| author: 'Author' | |
| }, | |
| algolia: { | |
| applicationID: '', | |
| apiKey: '', | |
| indexName: '', | |
| hits: {"per_page":10}, | |
| labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"} | |
| } | |
| }; | |
| </script> | |
| <link rel="canonical" href="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/"/> | |
| <title>DedeCMS V57 SQL注入 | Moonfish's blog</title> | |
| </head> | |
| <body itemscope itemtype="http://schema.org/WebPage" lang=""> | |
| <div class="container sidebar-position-left page-post-detail"> | |
| <div class="headband"></div> | |
| <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader"> | |
| <div class="header-inner"><div class="site-brand-wrapper"> | |
| <div class="site-meta "> | |
| <div class="custom-logo-site-title"> | |
| <a href="/" class="brand" rel="start"> | |
| <span class="logo-line-before"><i></i></span> | |
| <span class="site-title">Moonfish's blog</span> | |
| <span class="logo-line-after"><i></i></span> | |
| </a> | |
| </div> | |
| <p class="site-subtitle"></p> | |
| </div> | |
| <div class="site-nav-toggle"> | |
| <button> | |
| <span class="btn-bar"></span> | |
| <span class="btn-bar"></span> | |
| <span class="btn-bar"></span> | |
| </button> | |
| </div> | |
| </div> | |
| <nav class="site-nav"> | |
| <ul id="menu" class="menu"> | |
| <li class="menu-item menu-item-home"> | |
| <a href="/" rel="section"> | |
| <i class="menu-item-icon fa fa-fw fa-home"></i> <br /> | |
| Startseite | |
| </a> | |
| </li> | |
| <li class="menu-item menu-item-archives"> | |
| <a href="/archives/" rel="section"> | |
| <i class="menu-item-icon fa fa-fw fa-archive"></i> <br /> | |
| Archiv | |
| </a> | |
| </li> | |
| </ul> | |
| </nav> | |
| </div> | |
| </header> | |
| <main id="main" class="main"> | |
| <div class="main-inner"> | |
| <div class="content-wrap"> | |
| <div id="content" class="content"> | |
| <div id="posts" class="posts-expand"> | |
| <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article"> | |
| <div class="post-block"> | |
| <link itemprop="mainEntityOfPage" href="http://yoursite.com/2018/10/30/DedeCMS-V57-SQL注入/"> | |
| <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person"> | |
| <meta itemprop="name" content="moonfish"> | |
| <meta itemprop="description" content=""> | |
| <meta itemprop="image" content="/images/avatar.gif"> | |
| </span> | |
| <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization"> | |
| <meta itemprop="name" content="Moonfish's blog"> | |
| </span> | |
| <header class="post-header"> | |
| <h1 class="post-title" itemprop="name headline">DedeCMS V57 SQL注入</h1> | |
| <div class="post-meta"> | |
| <span class="post-time"> | |
| <span class="post-meta-item-icon"> | |
| <i class="fa fa-calendar-o"></i> | |
| </span> | |
| <span class="post-meta-item-text">Veröffentlicht am</span> | |
| <time title="Post created" itemprop="dateCreated datePublished" datetime="2018-10-30T23:23:22+08:00"> | |
| 2018-10-30 | |
| </time> | |
| </span> | |
| </div> | |
| </header> | |
| <div class="post-body" itemprop="articleBody"> | |
| <p> 六月份提交给先知的漏洞,不过重复了<br> 版本信息:<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/version.png" alt="image"><br> 注入点:<code>http://localhost/dedecms/v57/dede/co_do.php?clshash=true&dopost=clear&ids=*</code><br> 根据我们hook的函数发现payload直接进入查询语句<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/hook.png" alt="image"><br>sleep(1)<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/sleep1.png" alt="image"><br>sleep(5)<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/sleep2.png" alt="image"><br>sqlmap测试<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/sqlmap.png" alt="image"><br>定位到<code>.\dede\co_do.php</code>文件中当$ids和$clshash不为空时,$ids直接拼接到查询语句执行<br><img src="/2018/10/30/DedeCMS-V57-SQL注入/code.png" alt="image"><br>IAST是个有趣的工具,还是需要不断研究的。</p> | |
| </div> | |
| <footer class="post-footer"> | |
| <div class="post-nav"> | |
| <div class="post-nav-next post-nav-item"> | |
| <a href="/2018/07/05/PocScan-无法加载bugscan插件的解决办法/" rel="next" title="PocScan 无法加载bugscan插件的解决办法"> | |
| <i class="fa fa-chevron-left"></i> PocScan 无法加载bugscan插件的解决办法 | |
| </a> | |
| </div> | |
| <span class="post-nav-divider"></span> | |
| <div class="post-nav-prev post-nav-item"> | |
| <a href="/2019/01/30/webpack带来的安全风险/" rel="prev" title="webpack带来的安全风险"> | |
| webpack带来的安全风险 <i class="fa fa-chevron-right"></i> | |
| </a> | |
| </div> | |
| </div> | |
| </footer> | |
| </div> | |
| </article> | |
| <div class="post-spread"> | |
| </div> | |
| </div> | |
| </div> | |
| </div> | |
| <div class="sidebar-toggle"> | |
| <div class="sidebar-toggle-line-wrap"> | |
| <span class="sidebar-toggle-line sidebar-toggle-line-first"></span> | |
| <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span> | |
| <span class="sidebar-toggle-line sidebar-toggle-line-last"></span> | |
| </div> | |
| </div> | |
| <aside id="sidebar" class="sidebar"> | |
| <div class="sidebar-inner"> | |
| <section class="site-overview-wrap sidebar-panel sidebar-panel-active"> | |
| <div class="site-overview"> | |
| <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person"> | |
| <p class="site-author-name" itemprop="name">moonfish</p> | |
| <p class="site-description motion-element" itemprop="description"></p> | |
| </div> | |
| <nav class="site-state motion-element"> | |
| <div class="site-state-item site-state-posts"> | |
| <a href="/archives/"> | |
| <span class="site-state-item-count">7</span> | |
| <span class="site-state-item-name">Artikel</span> | |
| </a> | |
| </div> | |
| </nav> | |
| <div class="links-of-author motion-element"> | |
| </div> | |
| </div> | |
| </section> | |
| </div> | |
| </aside> | |
| </div> | |
| </main> | |
| <footer id="footer" class="footer"> | |
| <div class="footer-inner"> | |
| <div class="copyright">© <span itemprop="copyrightYear">2019</span> | |
| <span class="with-love"> | |
| <i class="fa fa-user"></i> | |
| </span> | |
| <span class="author" itemprop="copyrightHolder">moonfish</span> | |
| </div> | |
| <div class="powered-by">Erstellt mit <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div> | |
| <span class="post-meta-divider">|</span> | |
| <div class="theme-info">Theme — <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.3</div> | |
| <!--page counter part--> | |
| <script> | |
| function addCount (Counter) { | |
| url=$('.article-date').attr('href').trim(); | |
| title = $('.article-title').text().trim(); | |
| var query=new AV.Query(Counter); | |
| //use url as unique idnetfication | |
| query.equalTo("url",url); | |
| query.find({ | |
| success: function(results){ | |
| if(results.length>0) | |
| { | |
| var counter=results[0]; | |
| counter.fetchWhenSave(true); //get recent result | |
| counter.increment("time"); | |
| counter.save(); | |
| } | |
| else | |
| { | |
| var newcounter=new Counter(); | |
| newcounter.set("title",title); | |
| newcounter.set("url",url); | |
| newcounter.set("time",1); | |
| newcounter.save(null,{ | |
| success: function(newcounter){ | |
| //alert('New object created'); | |
| }, | |
| error: function(newcounter,error){ | |
| alert('Failed to create'); | |
| } | |
| }); | |
| } | |
| }, | |
| error: function(error){ | |
| //find null is not a error | |
| alert('Error:'+error.code+" "+error.message); | |
| } | |
| }); | |
| } | |
| $(function(){ | |
| var Counter=AV.Object.extend("Counter"); | |
| //only increse visit counting when intering a page | |
| if ($('.article-title').length == 1) | |
| addCount(Counter); | |
| var query=new AV.Query(Counter); | |
| query.descending("time"); | |
| // the sum of popular posts | |
| query.limit(10); | |
| query.find({ | |
| success: function(results){ | |
| for(var i=0;i<results.length;i++) | |
| { | |
| var counter=results[i]; | |
| title=counter.get("title"); | |
| url=counter.get("url"); | |
| time=counter.get("time"); | |
| // add to the popularlist widget | |
| showcontent=title+" ("+time+")"; | |
| //notice the "" in href | |
| $('.popularlist').append('<li><a href="'+url+'">'+showcontent+'</a></li>'); | |
| } | |
| }, | |
| error: function(error){ | |
| alert("Error:"+error.code+" "+error.message); | |
| } | |
| } | |
| ) | |
| }); | |
| </script> | |
| </div> | |
| </footer> | |
| <div class="back-to-top"> | |
| <i class="fa fa-arrow-up"></i> | |
| </div> | |
| </div> | |
| <script type="text/javascript"> | |
| if (Object.prototype.toString.call(window.Promise) !== '[object Function]') { | |
| window.Promise = null; | |
| } | |
| </script> | |
| <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script> | |
| <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script> | |
| <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script> | |
| <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script> | |
| <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script> | |
| <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script> | |
| <script type="text/javascript" src="/js/src/utils.js?v=5.1.3"></script> | |
| <script type="text/javascript" src="/js/src/motion.js?v=5.1.3"></script> | |
| <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.3"></script> | |
| <script type="text/javascript" src="/js/src/post-details.js?v=5.1.3"></script> | |
| <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.3"></script> | |
| </body> | |
| </html> |