### 简要描述: @人时过滤不严。 ### 详细说明: 在apiaction.class.php中 ``` public function atuserlist() { parent::init(); $keyword=$this->_post('keyword');//可控 if (!$keyword) { $dt=array(); $dt=D('AtusersView')->where("Atusers.user_id='".$this->my['user_id']."'")->order("dateline DESC")->limit(20)->select(); if ($dt) { foreach($dt as $val) { $k.= "<li>".$val['atnickname']."</li>"; } echo $k; } else { echo '<center>'.L('nouserlist').'</center>'; } } else { $data1=$data2=$dt=array(); $dt=D('AtusersView')->where("Atusers.user_id='".$this->my['user_id']."' AND nickname LIKE '%$keyword%'")->order("dateline DESC")->limit(10)->select(); $umodel=D('Users'); $data1=$umodel->friends($this->my['user_id']); $data2=$umodel->follows($this->my['user_id']); foreach ($data1 as $val) { $user[]=$val['nickname']; } ``` keyword是未过滤的。 进行了模糊查询。 所执行的语句 来看看 SELECT Atusers.id AS id,Atusers.user_id AS user_id,Atusers.atuname AS atuname,Atusers.atnums AS atnums,Atusers.dateline AS dateline,Users.nickname AS nickname FROM...
### 简要描述: @人时过滤不严。 ### 详细说明: 在apiaction.class.php中 ``` public function atuserlist() { parent::init(); $keyword=$this->_post('keyword');//可控 if (!$keyword) { $dt=array(); $dt=D('AtusersView')->where("Atusers.user_id='".$this->my['user_id']."'")->order("dateline DESC")->limit(20)->select(); if ($dt) { foreach($dt as $val) { $k.= "<li>".$val['atnickname']."</li>"; } echo $k; } else { echo '<center>'.L('nouserlist').'</center>'; } } else { $data1=$data2=$dt=array(); $dt=D('AtusersView')->where("Atusers.user_id='".$this->my['user_id']."' AND nickname LIKE '%$keyword%'")->order("dateline DESC")->limit(10)->select(); $umodel=D('Users'); $data1=$umodel->friends($this->my['user_id']); $data2=$umodel->follows($this->my['user_id']); foreach ($data1 as $val) { $user[]=$val['nickname']; } ``` keyword是未过滤的。 进行了模糊查询。 所执行的语句 来看看 SELECT Atusers.id AS id,Atusers.user_id AS user_id,Atusers.atuname AS atuname,Atusers.atnums AS atnums,Atusers.dateline AS dateline,Users.nickname AS nickname FROM et_atusers Atusers LEFT JOIN et_users Users ON Atusers.atuname=Users.user_name WHERE Atusers.user_id='2' AND nickname LIKE '%admin%' ORDER BY Atusers.dateline DESC LIMIT 10 构造一下语句看看。 其中过滤了select 和 and 把其中的s 和 a 会变成全角。 利用大写 就能绕过了。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201402/131818138e3c5b7d9ea3d9194fc6af782f6566c3.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/131818138e3c5b7d9ea3d9194fc6af782f6566c3.jpg) [<img src="https://images.seebug.org/upload/201402/131818269a2234f2f434d450d48e856fa8b27017.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/131818269a2234f2f434d450d48e856fa8b27017.jpg) [<img src="https://images.seebug.org/upload/201402/131818393053ea87eb71eda4d1b5818cf621de3a.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/131818393053ea87eb71eda4d1b5818cf621de3a.jpg)
