We enter the management page, Go to website settings.
Next, I want to inject php code by modifying these settings.
From the config.php file we found that the modified configuration will be written that.
The format of configuration writing is as follows.
define('WEBNAME', 'taoCMS演示');
So according to the grammar rules of php, I made the following request.
payload: taoCMS演示');phpinfo();//
But I found that after executing the request, the code of the config.php file will have a syntax error.
define('WEBNAME', 'taoCMS演示'');phpinfo();//');
when i view the taocms/include/Config.php, When the configuration is modified, the configuration is checked for security.
Follow taocms/include/Base.php, in the safeword function.
The core point of discovery is that if the database type is Sqlite, a single (') will be replaced by a pair ('').
After knowing all this, I constructed a payload, add a () to escape ('). Note that the database type is Sqlite.
payload: taoCMS演示\');phpinfo();//
After executing the request this time, I found that I successfully modified the configuration, and the code syntax check passed.
When I access Config.php everything works fine and the php code runs correctly.
But I found that after executing the request, the code of the config.php file will have a syntax error.
when i view the taocms/include/Config.php, When the configuration is modified, the configuration is checked for security.