VULHUB ™

### 简要描述： rt ### 详细说明： ourphp.net官网 共有三个帐号测试 ``` admin@qq.com admin@qq.cn admin@qq.org ``` 用admin@qq.com给 admin@qq.cn发一个站内信 站内信的ID为1 再用admin@qq.cn给admin@qq.org发一个站内信 站内信的ID为2 接着登录admin@qq.com 访问http://localhost/client/user/ourphp_mail.php?id=1 [<img src="https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png" alt="NS4DVZ7KQ~JBMX2OEU9__PR.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png) 再访问http://localhost/client/user/ourphp_mail.php?id=2 [<img src="https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png" alt="}~PE1{5Q5}QM3FSH%6E`ETC.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png) admin@qq.cn给admin@qq.org发的站内信我们也可以看。 看一下代码 ``` <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"...

### 简要描述： rt ### 详细说明： ourphp.net官网 共有三个帐号测试 ``` admin@qq.com admin@qq.cn admin@qq.org ``` 用admin@qq.com给 admin@qq.cn发一个站内信 站内信的ID为1 再用admin@qq.cn给admin@qq.org发一个站内信 站内信的ID为2 接着登录admin@qq.com 访问http://localhost/client/user/ourphp_mail.php?id=1 [<img src="https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png" alt="NS4DVZ7KQ~JBMX2OEU9__PR.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png) 再访问http://localhost/client/user/ourphp_mail.php?id=2 [<img src="https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png" alt="}~PE1{5Q5}QM3FSH%6E`ETC.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png) admin@qq.cn给admin@qq.org发的站内信我们也可以看。 看一下代码 ``` <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title></title> </head> <body> <?php /* * Ourphp - CMS建站系统 * Copyright (C) 2014 ourphp.net * 开发者：哈尔滨伟成科技有限公司 */ include '../../config/ourphp_code.php'; include '../../config/ourphp_config.php'; include '../../config/ourphp_version.php'; include '../../config/ourphp_Language.php'; include '../../function/ourphp_function.class.php'; $id = intval($_GET['id']); session_start(); if(!isset($_SESSION['username'])){ exit("no!"); } $sql="select OP_Usersend,OP_Usercollect,OP_Usercontent,time from `ourphp_usermessage` where id = ".$id; $query=mysql_query($sql); $ourphp_rs=mysql_fetch_array($query) ?> <table width="90%" border="0" cellpadding="10" style="font-size:12px;"> <tr> <td width="150"><div align="right">发件人：</div></td> <td>&nbsp;<?php if($ourphp_rs[0] == $_SESSION['username']){ echo '我';}else{ echo $ourphp_rs[0];} ?></td> </tr> <tr> <td><div align="right">收件人：</div></td> <td>&nbsp;<?php echo $ourphp_rs[1]; ?></td> </tr> <tr> <td valign="top"><div align="right">收件内容：</div></td> <td>&nbsp;<?php echo $ourphp_rs[2]; ?></td> </tr> <tr> <td><div align="right">时间：</div></td> <td>&nbsp;<?php echo $ourphp_rs[3]; ?></td> </tr> </table> <?php mysql_free_result($query); ?> </body> </html> ``` 没有进行任何限制 直接读数据 ### 漏洞证明： 共有三个帐号测试 ``` admin@qq.com admin@qq.cn admin@qq.org ``` 用admin@qq.com给 admin@qq.cn发一个站内信 站内信的ID为1 再用admin@qq.cn给admin@qq.org发一个站内信 站内信的ID为2 接着登录admin@qq.com 访问http://localhost/client/user/ourphp_mail.php?id=1 [<img src="https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png" alt="NS4DVZ7KQ~JBMX2OEU9__PR.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png) 再访问http://localhost/client/user/ourphp_mail.php?id=2 [<img src="https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png" alt="}~PE1{5Q5}QM3FSH%6E`ETC.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png) admin@qq.cn给admin@qq.org发的站内信我们也可以看。 看一下代码 client/user/ourphp_mail.php ``` <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <title></title> </head> <body> <?php /* * Ourphp - CMS建站系统 * Copyright (C) 2014 ourphp.net * 开发者：哈尔滨伟成科技有限公司 */ include '../../config/ourphp_code.php'; include '../../config/ourphp_config.php'; include '../../config/ourphp_version.php'; include '../../config/ourphp_Language.php'; include '../../function/ourphp_function.class.php'; $id = intval($_GET['id']); session_start(); if(!isset($_SESSION['username'])){ exit("no!"); } $sql="select OP_Usersend,OP_Usercollect,OP_Usercontent,time from `ourphp_usermessage` where id = ".$id; $query=mysql_query($sql); $ourphp_rs=mysql_fetch_array($query) ?> <table width="90%" border="0" cellpadding="10" style="font-size:12px;"> <tr> <td width="150"><div align="right">发件人：</div></td> <td>&nbsp;<?php if($ourphp_rs[0] == $_SESSION['username']){ echo '我';}else{ echo $ourphp_rs[0];} ?></td> </tr> <tr> <td><div align="right">收件人：</div></td> <td>&nbsp;<?php echo $ourphp_rs[1]; ?></td> </tr> <tr> <td valign="top"><div align="right">收件内容：</div></td> <td>&nbsp;<?php echo $ourphp_rs[2]; ?></td> </tr> <tr> <td><div align="right">时间：</div></td> <td>&nbsp;<?php echo $ourphp_rs[3]; ?></td> </tr> </table> <?php mysql_free_result($query); ?> </body> </html> ``` 没有进行任何限制 直接读数据