First find the route according to the URL path ?m=Book&a=index. Enter c/index/BookAction.class.php in the root directory and view the index method:
Enter the add function directly:
Follow up the addModel function:
Follow up with addDB
The problem comes here. The foreach loop is used to traverse the $data array. In each iteration, assign the key of the current element to $key and the value of the current element to $v. Although it attempts to surround the value with single quotes, this approach is not safe enough
Capture the data packet and add it to the value of mail)
Successful error reporting. By viewing the database information, we construct the following database statement
Poc is as follows:
name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&time&ischeck)values(user(),1,1,1,1,1,1)#=1
Analyze why time&ischeck is used), because when writing the sql statement at the end, the data array is traversed. We write time into the data array when passing parameters in post, and the code itself adds time to the data array after post. Therefore, the time we pass in is earlier than the code itself. You can ignore the time of the code itself and implement our SQL injection. Here is a demonstration of revealing the user name.
