# CVE-2018-16356

**Repository Path**: escape_wang/CVE-2018-16356

## Basic Information

- **Project Name**: CVE-2018-16356
- **Description**: CVE-2018-16356  detail
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 1
- **Forks**: 0
- **Created**: 2018-09-13
- **Last Updated**: 2020-12-18

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# CVE-2018-16356

#### 项目介绍
CVE-2018-16356  detail


Threre is a sql injection via api.php/List/index?order=123

the $order parameter is what we can control

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/105150_b27f7af5_2104759.png "屏幕截图.png")

go to the function getList,the parameter was used in the function order

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/105217_61165fd5_2104759.png "屏幕截图.png")

go to the function order

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/105228_955458c7_2104759.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/105247_7a15eb24_2104759.png "屏幕截图.png")