OURPHP <=v7.2.0 Background SQL injection
This function node on the website background can directly execute SQL statements, but requires a password code, which can be exploded. The default password code is 6 digits, and it will be exploded in a moment.
We try to execute the following statement
UPDATE ourphp_mail set OP_Mailpass='37e0c8f50a64a454' WHERE id='4';
You can see that this value is currently 123456
Then we execute the statement,And then use burp to explode the password code
See the prompt that the operation was successful
The value has also been changed
Code download address
https://down.chinaz.com/api/index/download?id=51308&type=code
Just download it and put it directly into PHPstudy
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。