### 简要描述: 由用户输入表名,未任何过滤 ### 详细说明: 在source/pay.php下 ``` function buymolds(){ $this->id=$this->syArgs('id'); $this->molds=$this->syArgs('molds',1); if(!$this->id&&!$this->molds)message("a"); $this->info=syDB($this->molds)->find(array('id'=>$this->id,'isshow'=>1),null,'title,mgold,litpic'); if(!$this->info)message("指定购买内容不存在或未审核。"); if($this->syArgs('run')){ if($this->mymoney<$this->info['mgold'])message("您的余额不足,请先充值"); $row=array( 'type'=>4, 'uid'=>$this->my['id'], 'orderid'=>'', 'money'=>$this->info['mgold'], 'custom'=>'', 'payment'=>'', 'paymentno'=>'', 'molds'=>$this->molds, 'aid'=>$this->id, 'addtime'=>time(), 'auser'=>'', ); $a=syClass('syaccount',array($row))->payment(); message($a['msg'],$a['url']); } $this->positions='<a href="'.$GLOBALS["WWW"].'">首页</a> > 支付中心'; $this->display("pay/buy_molds.html"); } ``` 可以看到表名是可控的 正常流程是这样的 [<img src="https://images.seebug.org/upload/201410/06164529c01f114459a57395c5bbc493f4492d05.jpg" alt="]IZI_Y`QK76[6@BO~US]`(W.jpg" width="600"...
### 简要描述: 由用户输入表名,未任何过滤 ### 详细说明: 在source/pay.php下 ``` function buymolds(){ $this->id=$this->syArgs('id'); $this->molds=$this->syArgs('molds',1); if(!$this->id&&!$this->molds)message("a"); $this->info=syDB($this->molds)->find(array('id'=>$this->id,'isshow'=>1),null,'title,mgold,litpic'); if(!$this->info)message("指定购买内容不存在或未审核。"); if($this->syArgs('run')){ if($this->mymoney<$this->info['mgold'])message("您的余额不足,请先充值"); $row=array( 'type'=>4, 'uid'=>$this->my['id'], 'orderid'=>'', 'money'=>$this->info['mgold'], 'custom'=>'', 'payment'=>'', 'paymentno'=>'', 'molds'=>$this->molds, 'aid'=>$this->id, 'addtime'=>time(), 'auser'=>'', ); $a=syClass('syaccount',array($row))->payment(); message($a['msg'],$a['url']); } $this->positions='<a href="'.$GLOBALS["WWW"].'">首页</a> > 支付中心'; $this->display("pay/buy_molds.html"); } ``` 可以看到表名是可控的 正常流程是这样的 [<img src="https://images.seebug.org/upload/201410/06164529c01f114459a57395c5bbc493f4492d05.jpg" alt="]IZI_Y`QK76[6@BO~US]`(W.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164529c01f114459a57395c5bbc493f4492d05.jpg) [<img src="https://images.seebug.org/upload/201410/06164135592309299eeafcb1571fdfdf8eee9369.jpg" alt="XI@TNM93D[FE53}K%[2037P.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164135592309299eeafcb1571fdfdf8eee9369.jpg) 当molds=article evilcode#时 [<img src="https://images.seebug.org/upload/201410/06164634314270763e8e1a1779eb2a38594ac24a.jpg" alt="`NRPHZ~`QWQ89@GLEVPTS84.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164634314270763e8e1a1779eb2a38594ac24a.jpg) ### 漏洞证明: 正常流程是这样的 [<img src="https://images.seebug.org/upload/201410/06164529c01f114459a57395c5bbc493f4492d05.jpg" alt="]IZI_Y`QK76[6@BO~US]`(W.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164529c01f114459a57395c5bbc493f4492d05.jpg) [<img src="https://images.seebug.org/upload/201410/06164135592309299eeafcb1571fdfdf8eee9369.jpg" alt="XI@TNM93D[FE53}K%[2037P.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164135592309299eeafcb1571fdfdf8eee9369.jpg) 当molds=article evilcode#时 [<img src="https://images.seebug.org/upload/201410/06164634314270763e8e1a1779eb2a38594ac24a.jpg" alt="`NRPHZ~`QWQ89@GLEVPTS84.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/06164634314270763e8e1a1779eb2a38594ac24a.jpg)
