### 简要描述: 之前看了厂商的回复说的是文章列表那个页面有问题,这次我提交的是图片列表页面存在注入 ### 详细说明: app\controller\picture.class.php 代码如下 ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key']; $cid = $_GET['cid']; if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; //没处理存在注入 } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; //没处理存在注入 } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; //没处理存在注入 } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels'];//没处理存在注入 } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special'];//没处理存在注入 } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; //没处理存在注入 } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; //没处理存在注入 } $_Obj->setSortId(); $orderBy = $_GET['sortId']; //没处理存在注入...
### 简要描述: 之前看了厂商的回复说的是文章列表那个页面有问题,这次我提交的是图片列表页面存在注入 ### 详细说明: app\controller\picture.class.php 代码如下 ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key']; $cid = $_GET['cid']; if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; //没处理存在注入 } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; //没处理存在注入 } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; //没处理存在注入 } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels'];//没处理存在注入 } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special'];//没处理存在注入 } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; //没处理存在注入 } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; //没处理存在注入 } $_Obj->setSortId(); $orderBy = $_GET['sortId']; //没处理存在注入 $_Obj->isAdmin = 1; $_objAry = $_Obj->where($where)->orderby("id ".$orderBy)->getList(); $pidSelectStr = $categoryObj->getTree($categoryObj, 2,false); $this->setValue("pidSelectStr", $pidSelectStr); $this->setValue("categoryObj", $categoryObj); $this->setValue("objAry", $_objAry); $this->setValue("Obj", $_Obj); $this->setValue("action", "list"); $this->forward("user/pictureList.html"); } ``` ### 漏洞证明: 本地搭建测试 不需要登录就可以直接注入 先看下cid参数 http://192.168.1.103/index.php?ac=picture_all&cid=6 AND 1=1 [<img src="https://images.seebug.org/upload/201401/1415563631b0736db7b089362bab6007ba5235ec.png" alt="1=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1415563631b0736db7b089362bab6007ba5235ec.png) http://192.168.1.103/index.php?ac=picture_all&cid=6 AND 1=2 [<img src="https://images.seebug.org/upload/201401/14155717eeb93d80da132098742665f95e861e79.png" alt="1=2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/14155717eeb93d80da132098742665f95e861e79.png) 接着看下cookie['userId']; 不需要登录就可以直接注入 [<img src="https://images.seebug.org/upload/201401/141603185674b5d9edd78645f54558d7afba6bb9.png" alt="USER 1=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/141603185674b5d9edd78645f54558d7afba6bb9.png) [<img src="https://images.seebug.org/upload/201401/141603465bab537480fe2adfa70f60c716b2624e.png" alt="USER 1=2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/141603465bab537480fe2adfa70f60c716b2624e.png) ....另一些参数也存在同样的注入问题
