TCCMS SQL injection vulnerability(blind)-vulnerability warning-the black bar safety net

ID MYHACK58:62201442308
Type myhack58
Reporter 佚名
Modified 2014-02-11T00:00:00


\app\controller\area. class. php is not the id of the process, there is injected into the

public function getCitys() {

$aeraObj = M("area");

$provinceId = $_GET["id"]; //do not perform any processing

//Fix suggested$provinceId = intval($_GET["id"]); mandatory conversion

return $aeraObj->getCitysByProvinceId($provinceId);


\app\model\areaAction.class.php under the direct sql processing

public function getCitysByProvinceId($provinceId) {

$type = $_GET['type'];

$ary =$this->where("pid = ".$ provinceId)->limit(1 0 0 0)->find(); //$provinceId untreated

Visit: normal display

Then AND 1=1&ac=area_getCitys

! tccms1

Then again AND 1=2&ac=area_getCitys

! tccms2

Local test can be determined that the administrator user number is 1

! tccms3