VULHUB ™

### 简要描述： 过滤不严。 ### 详细说明： 在member.php ``` case 'check_info_gold': $json = new Services_JSON; extract($_REQUEST); $m_gold = $db->getOne("select gold from {$table}member where userid='$_userid' "); $data['kou'] = $CFG['info_top_gold'] * intval($number); $data['gold'] = $m_gold - $data['kou']; $data=$json->encode($data); echo $data; break; ``` extract变量覆盖。 直接覆盖掉$table 然后补全语句 然后注入。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201402/2221213246022d89907aafca8919afa258b2b1b8.jpg" alt="UQ1~4[HI$C0N0W(@%{8TMNH.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2221213246022d89907aafca8919afa258b2b1b8.jpg)

### 简要描述： 过滤不严。 ### 详细说明： 在member.php ``` case 'check_info_gold': $json = new Services_JSON; extract($_REQUEST); $m_gold = $db->getOne("select gold from {$table}member where userid='$_userid' "); $data['kou'] = $CFG['info_top_gold'] * intval($number); $data['gold'] = $m_gold - $data['kou']; $data=$json->encode($data); echo $data; break; ``` extract变量覆盖。 直接覆盖掉$table 然后补全语句 然后注入。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201402/2221213246022d89907aafca8919afa258b2b1b8.jpg" alt="UQ1~4[HI$C0N0W(@%{8TMNH.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2221213246022d89907aafca8919afa258b2b1b8.jpg)