作者:俺是农村的
QQ:332876777
\core\include_v5\shopCore.php
public function shopCore( )
{
parent::kernel( );
if ( isset( $_POST['spgdif'] ) )
{
$this->spgdif( ); //进入函数 By:俺是农村的
exit( );
}
............................
}
public function spgdif( )
{
include_once( CORE_DIR."/func_ext.php" );
if ( $_POST['session'] && $_POST['query'] && $_POST['sign'] ) //没任何过滤 QQ:332876777
{
if ( md5( $_POST['query'].$_POST['session']."shopex_stats" ) == $_POST['sign'] ) //MD5 验证,我们可以自己控制。
{
$cert = $this->loadModel( "service/certificate" );
if ( $data = $cert->session_vaild( $_POST['session'] ) )
{
$this->fetchdata( $_POST['query'] );
}
..........................
public function fetchdata( $params )
{
$params = unserialize( $params );
$sql = "SELECT ";
foreach ( $params['fields'] as $key => $value )
{
$sql .= $value['method']."(".$value['name'].")";
if ( $value['alias'] )
{
$sql .= " as ".$value['alias']; //代入sql By:小翔
}
$sql .= ",";
}
$sql = substr( $sql, 0, -1 );
$sql .= " FROM ".$params['tbl']." ";
...............
$db = $this->database( );
ob_start( );
$data = $db->select( $sql );
ob_end_clean( );
if ( $data )
{
echo json_encode( array(
"res" => "succ",
"data" => $data //没任何干扰,全部显示出来!(人品好了点。) By:俺是农村的
) );
}
else
{
echo json_encode( array(
"res" => "fail",
"data" => $sql
) );
}
}
exp在附件
附件: shopex.rar (1.68 K, 下载次数:388)
只显示10条记录相关文章
shopex 4.8.5.45144 getshell 囧版 0day (浏览: 10692, 评论: 0)
Shopex V4.8.4 V4.8.5 0Day 通杀+ 官方测试 (浏览: 16255, 评论: 0)
SHOPEX最新漏洞利用 (浏览: 10520, 评论: 0)
ShopEx PHP远程包含漏洞 (浏览: 10222, 评论: 0)
ShopEx 4.7.2 漏洞 (浏览: 13042, 评论: 0)