### 简要描述: No check out。 ### 详细说明: 在ajax.php中 ``` $file[file_id] = (int)$file[file_id]; $file[file_size] = (int)$file[file_size]; $file[file_extension] = $db->escape(trim($file[file_extension])); $file[file_name] = $db->escape(trim($file[file_name])); $num = @$db->result_first("select count(*) from {$tpf}files where yun_fid='{$file[file_id]}' and userid='$pd_uid'"); if($num && $file[file_id]){ $tmp_ext = $file[file_extension] ? '.'.$file[file_extension] : ''; $msg = $file[file_name].$tmp_ext; }else{ $report_status =0; $report_arr = explode(',',$settings['report_word']); if(count($report_arr)){ foreach($report_arr as $value){ if (strpos($file['file_name'],$value) !== false){ $report_status = 2; } } } $ins = array( 'yun_fid' => $file[file_id], 'file_name' => $file[file_name], 'file_key' => $file_key, 'file_extension' => $file[file_extension], 'file_mime' => 'application/octet-stream', 'file_description' => $file[file_description], 'file_size' => $file['file_size'], 'file_time' =>...
### 简要描述: No check out。 ### 详细说明: 在ajax.php中 ``` $file[file_id] = (int)$file[file_id]; $file[file_size] = (int)$file[file_size]; $file[file_extension] = $db->escape(trim($file[file_extension])); $file[file_name] = $db->escape(trim($file[file_name])); $num = @$db->result_first("select count(*) from {$tpf}files where yun_fid='{$file[file_id]}' and userid='$pd_uid'"); if($num && $file[file_id]){ $tmp_ext = $file[file_extension] ? '.'.$file[file_extension] : ''; $msg = $file[file_name].$tmp_ext; }else{ $report_status =0; $report_arr = explode(',',$settings['report_word']); if(count($report_arr)){ foreach($report_arr as $value){ if (strpos($file['file_name'],$value) !== false){ $report_status = 2; } } } $ins = array( 'yun_fid' => $file[file_id], 'file_name' => $file[file_name], 'file_key' => $file_key, 'file_extension' => $file[file_extension], 'file_mime' => 'application/octet-stream', 'file_description' => $file[file_description], 'file_size' => $file['file_size'], 'file_time' => $timestamp, 'is_checked' => $is_checked, 'in_share' => $in_share, 'report_status' => $report_status, 'userid' => $pd_uid, 'folder_id' => $folder_id ? $folder_id : -1, 'ip' => $onlineip, ); $sql = "insert into {$tpf}files set ".$db->sql_array($ins).";"; ``` 这里$file[file_extension] = $db->escape(trim($file[file_extension])); 被转义了。 然后带入到了insert当中。 在viewfile.php中 ``` $file_id = (int)gpc('file_id','GP',0); $code = trim(gpc('code','G','')); $rs = @$db->fetch_one_array("select * from {$tpf}files where file_id='$file_id'"); ``` 这里出库, ``` $relate_file = get_relate_file("select file_id,file_key,file_name,file_extension,file_size,file_time from {$tpf}files where ((is_public=1 and is_checked=1) or in_share=1) and in_recycle=0 and userid='{$file['userid']}' and file_id<>'$file_id' order by file_id desc limit 10"); $you_like_file = get_relate_file("select file_id,file_key,file_name,file_extension,file_size,file_time from {$tpf}files where ((is_public=1 and is_checked=1) or in_share=1) and in_recycle=0 and file_id<>'$file_id' order by rand() limit 10"); if($settings['show_relative_file']){ $C[relate_file] = get_relate_file("select file_id,file_key,file_name,file_extension,file_size,file_time from {$tpf}files where ((is_public=1 and is_checked=1) or in_share=1) and in_recycle=0 and file_extension='{$file[file_extension]}' and file_id<>'$file_id' order by file_id desc limit 15"); ``` 这里 把出库的$file[file_extension] 带入到了查询当中 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/011904247383c1eb588fa053c7a85898d47ee898.jpg" alt="p1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/011904247383c1eb588fa053c7a85898d47ee898.jpg) 首先对file_extension序列化 再base64一次 入库 然后出库。 [<img src="https://images.seebug.org/upload/201406/011906159aab21e912f8103a5ec6de9148ec9ac7.jpg" alt="p2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/011906159aab21e912f8103a5ec6de9148ec9ac7.jpg)
