<p><font color="#209361">漏洞文件: framework\inp_control.php</font></p><p><font color="#209361">文件代码:</font></p><p>f<font color="#209361">unction index_f()</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $type = $this->get("type");</font></p><p><font color="#209361"> $content = $this->get("content");</font></p><p><font color="#209361"> if($type == "title" && $content)</font></p><p><font color="#209361"> {</font></p><p><font...
<p><font color="#209361">漏洞文件: framework\inp_control.php</font></p><p><font color="#209361">文件代码:</font></p><p>f<font color="#209361">unction index_f()</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $type = $this->get("type");</font></p><p><font color="#209361"> $content = $this->get("content");</font></p><p><font color="#209361"> if($type == "title" && $content)</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $this->get_title_list($content);</font></p><p><font color="#209361"> }</font></p><p><font color="#209361"> elseif($type == "user" && $content)</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $this->get_user_list($content);</font></p><p><font color="#209361"> }</font></p><p><font color="#209361"> json_exit("ok");</font></p><p><font color="#209361"> }</font></p><p><font color="#209361"> </font></p><p><font color="#209361"> function get_user_list($content)</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $content = explode(",",$content);</font></p><p><font color="#209361"> $list = array();</font></p><p><font color="#209361"> foreach($content AS $key=>$value)</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> $value = intval($value);</font></p><p><font color="#209361"> if($value) $list[] = $value;</font></p><p><font color="#209361"> }</font></p><p><font color="#209361"> $list = array_unique($list);</font></p><p><font color="#209361"> $content = implode(",",$list);</font></p><p><font color="#209361"> if(!$content) json_exit("ok");</font></p><p><font color="#209361"> $condition = "l.id IN(".$content.")";</font></p><p><font color="#209361"> $rslist = $this->model("list")->get_all($condition,0,0);</font></p><p><font color="#209361"> if($rslist)</font></p><p><font color="#209361"> {</font></p><p><font color="#209361"> json_exit($rslist,true);</font></p><p><font color="#209361"> }</font></p><p><font color="#209361"> json_exit("ok");</font></p><p><font color="#209361"> }</font></p><p><br><font color="#209361"></font></p><p><font color="#209361">type必须为user,如为title查询不了内容</font></p><p><br></p><p><font color="#209361"><br></font></p><p><img data-image-size="796,431" src="https://images.seebug.org/contribute/70ba1a48-861d-4f78-ad1c-05a3290c0e72-QQ截图20150920012050.png" alt="QQ截图20150920012050.png"><br></p><p><br></p><p><img data-image-size="1278,353" src="https://images.seebug.org/contribute/747c9e1f-6bd9-48a0-8344-9f5ef744675f-QQ截图20150920012206.png" alt="QQ截图20150920012206.png"><br></p><p><br></p><p><font color="#209361">这种漏洞一般都是因为程序员闲麻烦而导致的,所以也告诉了我们一个道理:做开发的,一定不能闲麻烦...</font><br></p>
