### 简要描述: 操蛋捏... ### 详细说明: 注意我测试的是2月16号下载的x2.4版本,可能不是最新的,感觉会重复... 找到https://images.seebug.org/upload/Admin/Lib/Action/TopicAction.class.php第41行 ``` $topicname=$_POST['topicname'];//这里接受post过来的参数 if ($topicname) { $count=$tModel->where("topicname LIKE '%$topicname%'")->count();//统计 } else { $count=$tModel->count(); } $p= new Page($count,20); $page = $p->show("admin.php?s=/Topic/index/order/$order/p/"); if ($topicname) {//判断是否传入topicname参数 $content = $tModel->where("topicname LIKE '%$topicname%'")->order($condition)->limit($p->firstRow.','.$p->listRows)->select();//带入查询 } else { $content = $tModel->order($condition)->limit($p->firstRow.','.$p->listRows)->select(); ``` 本地搭建然后去后台 [<img src="https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg" alt="QQ图片20140218184853.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg) 搜索时抓包丢sqlmap [<img...
### 简要描述: 操蛋捏... ### 详细说明: 注意我测试的是2月16号下载的x2.4版本,可能不是最新的,感觉会重复... 找到https://images.seebug.org/upload/Admin/Lib/Action/TopicAction.class.php第41行 ``` $topicname=$_POST['topicname'];//这里接受post过来的参数 if ($topicname) { $count=$tModel->where("topicname LIKE '%$topicname%'")->count();//统计 } else { $count=$tModel->count(); } $p= new Page($count,20); $page = $p->show("admin.php?s=/Topic/index/order/$order/p/"); if ($topicname) {//判断是否传入topicname参数 $content = $tModel->where("topicname LIKE '%$topicname%'")->order($condition)->limit($p->firstRow.','.$p->listRows)->select();//带入查询 } else { $content = $tModel->order($condition)->limit($p->firstRow.','.$p->listRows)->select(); ``` 本地搭建然后去后台 [<img src="https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg" alt="QQ图片20140218184853.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg) 搜索时抓包丢sqlmap [<img src="https://images.seebug.org/upload/201402/1818503068a6463b7d1014e1a7c5c310005c0633.jpg" alt="QQ图片20140218184832.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/1818503068a6463b7d1014e1a7c5c310005c0633.jpg) ### 漏洞证明: 还有一处在https://images.seebug.org/upload/Admin/Lib/Action/UsersAction.class.php第72行: ``` public function search() { $user_name=$_REQUEST['user_name'];//接受参数 $group=$_REQUEST['group']; import("@.ORG.Page"); C('PAGE_NUMBERS',10); $umodel=M('Users'); if ($group) { if ($user_name) { $where="user_name LIKE '%$user_name%' AND ";//带入sql语句 } else { $where=""; } if ($group=='all') { $where.="1"; } else if ($group=='admin1') { $where.="isadmin=1"; } else if ($group=='admin2') { $where.="isadmin=2"; } else if ($group=='public') { $where.="isadmin=0 AND userlock=0"; } else if ($group=='lock') { $where.="userlock=1"; } else if ($group=='close') { $where.="userlock=2"; } else if (is_numeric($group) && $group>0) { $where.="user_auth='$group'"; } $count=$umodel->where($where)->count();//统计查询 ```
