Qibocms local portal system injection (similar in multiple places, demo test)

Qibocms local portal system injection (similar in multiple places, demo test)

Many similar methods can be used to find a place.

Register a member first.



In dianping/post. php

If ($ action = "postnew") {if ($ webdb [ForbidPostMore]) {if ($ db-> get_one ("SELECT * FROM {$ _ pre} content WHERE uid = '$ lfjuid' LIMIT 1 ")) {showerr ("only one shop can be published for each user in the system settings! ") ;}} If (! Check_rand_num ($ _ POST ["$ webdb [rand_num_inputname]"]) {showerr ("the system random code is invalid. Please return, refresh the page, enter the data again, and submit again! ");} If (! $ Postdb [city_id]) {showerr ("select city ");} /* Verification Code Processing */if ($ webdb [Info_GroupPostYzImg] & in_array ($ groupdb ['gid'], explode (",", $ webdb [Info_GroupPostYzImg]) {if (! $ Web_admin &&! Check_imgnum ($ yzimg) {showerr ("Verification Code does not match, release failed") ;}$ postdb ['LIST'] = $ timestamp; if ($ iftop) {// recommended top @ extract ($ db-> get_one ("select count (*) as num from '{$ _ pre} content $ _ erp' WHERE list> '$ timestamp' AND fid =' $ fid' AND city_id = '$ postdb [city_id]' ") );

Let's publish a comment.



@ Extract ($ db-> get_one ("select count (*) as num from '{$ _ pre} content $ _ erp' WHERE list> '$ timestamp' AND fid =' $ fid' AND city_id = '$ postdb [city_id]' "))



Let's take a look at this statement. {$ _ Pre} content $ _ erp to see where $ _ erp comes from in this file


 

We can see that our statement is located in 173 rows.



The value assigned to $ _ erp is in row 187. The $ _ erp equivalent to our 173 rows will not be initialized.



Combined with qibocms's pseudo-Global Mechanism, we can control the $ _ erp of 173 rows to achieve the injection effect.



Dianping/post. php? Action = postnew & fid = 11 & postdb [address] = xx & postdb [city_id] = x & _ erp = aaa & iftop = 1 & yzimg = a1df


 

Construct


 

Data is successfully output.

___________________________________________________________________________



Test demo.


 

 

Solution:

Put $ _ erp = $ Fid_db [tableid] [$ fid]; in front.