phpmps 注入一枚

2014-02-25T00:00:00
ID SSV:95354
Type seebug
Reporter Root
Modified 2014-02-25T00:00:00

Description

简要描述:

过滤不严。

详细说明:

在member.php

case 'check_info_gold': $json = new Services_JSON; extract($_REQUEST); $m_gold = $db->getOne("select gold from {$table}member where userid='$_userid' "); $data['kou'] = $CFG['info_top_gold'] * intval($number); $data['gold'] = $m_gold - $data['kou']; $data=$json->encode($data); echo $data; break;

extract变量覆盖。 直接覆盖掉$table 然后补全语句 然后注入。

漏洞证明:

[<img src="https://images.seebug.org/upload/201402/2221213246022d89907aafca8919afa258b2b1b8.jpg" alt="UQ1~4HI$C0N0W(@%{8TMNH.jpg" width="600" onerror="javascript:errimg(this);">