作者：Ho1aAs

博客：https://blog.csdn.net/xxy605

进入后台-博客管理-任意选择和删除一个项目

POST /wgNecC_AQV/Ant_Inc.php?action=Clear&sort=info&lgid=1 HTTP/1.1 Host: testcms.com Content-Length: 12 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://testcms.com Referer: http://testcms.com/wgNecC_AQV/Ant_Info.php?type=B Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_e2ecc5a8268ea1a4c9862ec7b4ee5b11=1620953819,1620955324,1620955893,1620958111; XDEBUG_SESSION=PHPSTORM; PHPSESSID=l0g9gvv6dcr9q2q2iod65fs2k7; PHPSESSID=l0g9gvv6dcr9q2q2iod65fs2k7 Connection: close  DID[]=17 

POST参数DID[]存在注入

访问Ant_Inc.php，它包含了Ant_Resonse.php

include_once 'Ant_Function.php'; include_once 'Ant_Config.php'; include_once 'Ant_Response.php'; 

访问Ant_Resonse.php，删除并调用以下函数

elseif($action=="Clear"){//删除   if ($table=="sc_categories") { // 产品分类       if (($Ant->AntDelCat($table,$sortID,$db_conn))===true){ ////通过路径分类删除所有相关目录    echo "删除成功";      }else{       echo "删除失败";      }      #code... 相关产品也要操作   }elseif($table=="sc_products" || $table=="sc_info" || $table=="sc_country" || $table=="sc_express" || $table=="sc_delivery" || $table=="sc_currency" || $table=="sc_pay"  || $table=="sc_coupon" || $table=="sc_banner" || $table=="sc_menu" || $table=="sc_link" || $table=="sc_download" || $table=="sc_email" || $table=="sc_mailtemplate" || $table=="sc_mulu" || $table=="sc_user" || $table=="sc_language" || $table=="sc_order"|| $table=="sc_member" ||  $table=="sc_address" || $table=="sc_msg"){ //产品删除        if(empty($DID)){         echo 'err';        }else{        $sortID=implode(",",$DID);         if ($table=="sc_delivery"){ ////删除国家区域相应的配送方式ID         $exid=@$_GET['exid'];         $CountryID=RecountryID($sortID,$db_conn);         $db_conn->query("UPDATE sc_country SET expressid=replace(expressid,',$exid,',',') where ID in($CountryID)");         }        if (($Ant->AntDel($table,$sortID,$db_conn))===true){     echo "删除成功";       }else{        echo "删除失败";       }          }  }else{          if (($Ant->AntDelother($table,$sortID,$db_conn))===true){    echo "删除成功";      }else{       echo "删除失败";      }    } 

重点在于$Ant->AntDel($table,$sortID,$db_conn),追函数Ant_Class.php

public function AntDel($table,$id,$db){// 删                       if($db->query("DELETE FROM  $table WHERE ID in ($id)")){                   return true;                 }else{                   return false;                 }             } 

无过滤直接拼接删除，导致注入漏洞

无过滤布尔盲注，时间盲注