CmsTop媒体版某模板存在三处SQL盲注漏洞(非全部网站用户)

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: 不是全部网站都安装了这几个模板,这个模板用户量一般 ### 详细说明: 漏洞文件是/apps/rss/controller/fullsite.php中 ``` public function get_sectiondata(){ $sectionid = $_GET['sectionid']; //多个以','隔开 $outtyle = $_GET['outtyle'];//输出类型 $section_list = $this->_rss->ls_section($sectionid); $data = array(); foreach($section_list as $section){ if ($section['data'] && ($section['data']{0} == '{' || $section['data']{0} == '[')) { $data[] = json_decode($section['data'], true); } else { $data[] = unserialize($section['data']); ``` 跟踪ls_section函数 在/apps/rss/model/fullsite.php中 ``` function ls_section($sectionid){ $sql = "SELECT * FROM `#table_section` "; if($sectionid) $sql .= " WHERE sectionid IN (".$sectionid.")"; $sql .= " ORDER BY sectionid DESC"; $data = $this->db->select($sql); return $data; } ``` ``` $sectionid = $_GET['sectionid']; (".$sectionid.")"; ``` 可以看到没有过滤也没有单引号,不知道是不是有过滤,因为我源码没有完整解密 我们要减法盲注测试下是不是存在注入 一号 ``` http://app.ellechina.com/?app=rss&controller=fullsite&action=get_sectiondata&sectionid=1&outtyle=1...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息