### 简要描述: 程氏CMS_V3.5_ 正式版 更新时间:2014-02-18 下载次数:13145 表示下载的这个 是最新的了把? 无需登录 无视Gpc。 ### 详细说明: 在app/controllers/zj.php中 ``` public function so() { $data='';$data_content=''; $fid = $this->security->xss_clean($this->uri->segment(3)); //方式 $key = $this->security->xss_clean($this->uri->segment(4)); //关键字 $page = intval($this->security->xss_clean($this->uri->segment(5))); //页数 if($page==0) $page=1; $key=$this->CsdjSkins->rurlencode($key); if(empty($key)) $key = $this->input->post('key', TRUE); $cache_id ="topic_so_".$fid."_".$key."_".$page; ``` $key = $this->security->xss_clean($this->uri->segment(4)); xss_clean 把单引号过滤掉了。 但是有rurlencode这个。 看看它 ``` function rurlencode($string) { $key=rawurldecode($string); if($this->is_utf8($key)){ $key=iconv('UTF-8', 'GB2312', $key); } return $key; } ``` 是解码的 那就无视过滤了。 直接come sql ``` $pagenum=$this->CsdjSkins->GetPageNum($Mark_Text); preg_match_all('/{cscms:topic(.*?pagesize=([\S]+).*?)}([\s\S]+?){\/cscms:topic}/',$Mark_Text,$page_arr);//判断是否有分页标识...
### 简要描述: 程氏CMS_V3.5_ 正式版 更新时间:2014-02-18 下载次数:13145 表示下载的这个 是最新的了把? 无需登录 无视Gpc。 ### 详细说明: 在app/controllers/zj.php中 ``` public function so() { $data='';$data_content=''; $fid = $this->security->xss_clean($this->uri->segment(3)); //方式 $key = $this->security->xss_clean($this->uri->segment(4)); //关键字 $page = intval($this->security->xss_clean($this->uri->segment(5))); //页数 if($page==0) $page=1; $key=$this->CsdjSkins->rurlencode($key); if(empty($key)) $key = $this->input->post('key', TRUE); $cache_id ="topic_so_".$fid."_".$key."_".$page; ``` $key = $this->security->xss_clean($this->uri->segment(4)); xss_clean 把单引号过滤掉了。 但是有rurlencode这个。 看看它 ``` function rurlencode($string) { $key=rawurldecode($string); if($this->is_utf8($key)){ $key=iconv('UTF-8', 'GB2312', $key); } return $key; } ``` 是解码的 那就无视过滤了。 直接come sql ``` $pagenum=$this->CsdjSkins->GetPageNum($Mark_Text); preg_match_all('/{cscms:topic(.*?pagesize=([\S]+).*?)}([\s\S]+?){\/cscms:topic}/',$Mark_Text,$page_arr);//判断是否有分页标识 if(!empty($page_arr) && !empty($page_arr[2])){ if($fid=='tags'){ $sqlstr="select * from ".CS_SqlPrefix."topic where CS_YID=0 and CS_Tags like '%".$key."%' order by CS_AddTime desc"; }else{ $sqlstr="select * from ".CS_SqlPrefix."topic where CS_YID=0 and CS_Name like '%".$key."%' or CS_Year like '%".$key."%' order by CS_AddTime desc"; } $Arr=$this->CsdjSkins->SpanPage($sqlstr,$page_arr[2][0],$pagenum,'so','zj',$fid,urlencode($key),1,$page);//sql,每页显示条数 $result=$this->CsdjDB->db->query($Arr[2]); $recount=$result->num_rows(); if($recount==0){ ``` 这里看一下语句 然后构造一下。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201402/22160042d05873de82a85de1d0c0b888a9d72f7b.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/22160042d05873de82a85de1d0c0b888a9d72f7b.jpg) [<img src="https://images.seebug.org/upload/201402/22160123515200987d41dc37337bd0455b412f9a.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/22160123515200987d41dc37337bd0455b412f9a.jpg) 官网 测试成功。
