Ecmall 2. x version exist through the kill SQL injection vulnerability-vulnerability warning-the black bar safety net

Brief description: Originally wanted to complete analysis and then struggle ECSHOP...the result has not been to old cassock opportunity to Ah,more and more can't believe is not the official version,is not under the wrong. Drink more the head a little dizzy. I don't know if the analysis is written...

Ecmall 2.x版本存在通杀SQL注入漏洞

简要描述： 本来想早点分析完然后奋斗ECSHOP...结果一直不给老衲机会啊,越来越不敢相信是不是官方版本了,是不是下错了.酒喝多了头有点晕.不知道有没有把分析写错... 详细说明： order by 参数注入,后面不能跟union,但是可以用双重查询. select...from...order by 1 and select username from ecmmember where userid=1 或者 select...from...order by 1,select username from ecmmember where userid=1...