the parameter named user_id without any filter.then just bring into the MYSQL query.
After use the demo account demo demo login in your app,
and then using the payload -- admin/admin_log/index.html?user_id=1+updatexml(1,concat(0x7e,(version())),0) we can get the version of your MYSQL . that's the testing on your demo website.
the dowloadfile function haven't any filters.
So i deploy the apps on local,after login we try the poc url /admin/databack/download.html?name=../application/database.php
We can read the config file of mysql account and the password
The text was updated successfully, but these errors were encountered:
Could you please specify where the fix was made?
Thank you :)
The one
The code is currently on the thinkphp5.0 branch.
You can view the relevant code in lines 29-31 of the applocation\admin\controller\AdminLog.php file.
The two
You can view the relevant code in lines 21 and 63-66 of the applocation\admin\controller\Databack.php file.
Related code files:
/extend/tools/DataBackup.php, line 117.
1.SQL INJECTION
In the controller file applocation\admin\controller\AdminLog.php
in the function index
code line 28-33
the parameter named user_id without any filter.then just bring into the MYSQL query.

After use the demo account demo demo login in your app,
and then using the payload -- admin/admin_log/index.html?user_id=1+updatexml(1,concat(0x7e,(version())),0) we can get the version of your MYSQL . that's the testing on your demo website.
2. download files without any limit
in the file
application\admin\controller\databack.php
In the function __construct ,line 16-29
from the code we know that the parameter "name " is from the GET method.and without any limit
let's take a look at the code line 61-64
$this->back is defined in the file \extend\tools\DataBackup.php line115-128
the dowloadfile function haven't any filters.

So i deploy the apps on local,after login we try the poc url /admin/databack/download.html?name=../application/database.php
We can read the config file of mysql account and the password
The text was updated successfully, but these errors were encountered: