<p>discuz ychat插件注入漏洞</p><p>table_ychat_rooms.php</p><p>code 区域</p> <pre> public function fetch_all_by_category($categoryID,$start=0,$limit=0)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if(!$categoryID)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> return null;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $result=array();<br style="margin: 0px; padding: 0px;"> $result=DB::fetch_all("select * from ".DB::table($this->table)." where categoryID=".$categoryID." order by cnum desc ". DB::limit($start, $limit));//直接带入查询<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> return $result; </pre><p><br><br>rooms.php<br><br><br><br></p><p>code 区域</p> <pre> if(!defined('IN_DISCUZ')) {<br style="margin: 0px; padding: 0px;"> exit('Access Denied');<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $_G['disabledwidthauto'] = 1;<br...
<p>discuz ychat插件注入漏洞</p><p>table_ychat_rooms.php</p><p>code 区域</p> <pre> public function fetch_all_by_category($categoryID,$start=0,$limit=0)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if(!$categoryID)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> return null;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $result=array();<br style="margin: 0px; padding: 0px;"> $result=DB::fetch_all("select * from ".DB::table($this->table)." where categoryID=".$categoryID." order by cnum desc ". DB::limit($start, $limit));//直接带入查询<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> return $result; </pre><p><br><br>rooms.php<br><br><br><br></p><p>code 区域</p> <pre> if(!defined('IN_DISCUZ')) {<br style="margin: 0px; padding: 0px;"> exit('Access Denied');<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $_G['disabledwidthauto'] = 1;<br style="margin: 0px; padding: 0px;"> ...<br style="margin: 0px; padding: 0px;"> $avatarimg=UC_API."/avatar.php?uid=".$_G["uid"]."&size=small";<br style="margin: 0px; padding: 0px;"> $croomsarray=C::t("#ychat#ychat_rooms")->fetch_all_by_category($_GET["cid"]);//传入get值</pre>
