Qibocms local portal system secondary injection #5 (demo test)

Qibocms local portal system secondary injection #5 (demo test)

Secondary Injection.

In hy/member/homepage_ctrl/pic_fm.php
 

If (count ($ pids) <1) showerr ("select an image"); if (! $ Psid) showerr ("Please specify an Gallery"); foreach ($ pids as $ pid) {if ($ pid) {$ rt = $ db-> get_one ("SELECT url FROM {$ _ pre} pic WHERE pid = '$ pid '"); $ db-> query ("UPDATE {$ _ pre} picsort SET faceurl = '$ rt [url] 'where psid =' $ psid 'AND uid =' $ uid '"); // bring the warehouse picking information to the update query to find the break for warehouse receiving ;}}

There are a lot of places to store data.

In hy/member/homepage_ctrl/pic_upload.php
 

Foreach ($ photoDB [url] AS $ key => $ value) {if (! Eregi ("\. (gif | jpg | jpeg | png | bmp) $ ", $ value) {delete_attachment ($ uid, tempdir ($ value )); // define the continue at the end of jpg.} $ picpath = "homepage/pic /". ceil (USD uid/1000 ). "/"; $ picurl = $ picpath. basename ($ value); // basename does not affect move_attachment ($ uid, tempdir ($ value), $ picpath); // image transfer directory and add watermark if (! Is_file (ROOT_PATH. "$ webdb [updir]/$ picurl") {$ picurl = $ value;} $ Newpicpath = ROOT_PATH. "$ webdb [updir]/{$picurl).gif"; gdpic (ROOT_PATH. "$ webdb [updir]/$ picurl", $ Newpicpath, 150,150); if (! Is_file ($ Newpicpath) {copy (ROOT_PATH. "$ webdb [updir]/{$ picurl}", $ Newpicpath);} $ title = filtrate ($ photoDB [name] [$ key]); $ title = get_word ($ title, 32); // echo "insert into '{$ _ pre} pic' ('psid ', 'uid', 'username ', 'title', 'url', 'level', 'yz', 'posttime', 'isfs', 'orderlist') VALUES ('$ psid', '$ uid ', '$ lfjid',' $ title', '$ picurl', '0', '1',' $ timestamp', '0', '0') "; exit; $ db-> query ("insert into '{$ _ pre} pic' ('psid ', 'uid', 'username', 'title', 'url ', 'level', 'yz', 'posttime', 'isfs', 'orderlist') VALUES ('$ psid', '$ uid',' $ lfjid ', '$ title',' $ picurl', '0', '1', '$ timestamp', '0', '0 ')"); // here $ picurl is brought into the insert database $ ck ++;

First, store the database.


 

Escape warehouse receiving. Then


 

Warehouse picking causes injection.



Structure.


 

Here, I output the statement.



And then warehouse.



/Hy/member/homepage_ctrl.php? Atn = pic_fm & pids [] = 45 & psid= 3313


 

Output data.





Demo test:
 

Warehouse receiving



Warehouse picking
 

Construct a column to see which column is updated for data output.

 

Solution:

Outbound escape