VULHUB ™

### 简要描述： TCCMS SQL注入漏洞 ### 详细说明： /app/controller/index.class.php public function search() { $_Obj = M("news"); $skey = $_POST["key"]; $where = empty($skey) ? "1=1" : "title like '%$skey%'";//注入 $_Obj->field("id,uid,classid,smallmemo,title,photo,photo_s,addtime,hits,isphoto,levels,top,flashpic,special,reply"); $_Obj->pageSize = 40; $_Obj->where($where); $objAry = $_Obj->getList(); $categoryObj = M("category"); $classId = intval($_GET['classid']); $isParent = $categoryObj->ifHavePid($classId); $categoryAry = array(); if (empty($classId)) { //没有栏目ID $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = 0")->limit(1000)->find(); } else if ($isParent) { //有子栏目 $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = " . $classId)->limit(1000)->find(); } else { //无子栏目 $pObj = $categoryObj->load($classId); $pId = $pObj->pid; $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = " . $pId)->limit(1000)->find(); } //关键字 ###...

### 简要描述： TCCMS SQL注入漏洞 ### 详细说明： /app/controller/index.class.php public function search() { $_Obj = M("news"); $skey = $_POST["key"]; $where = empty($skey) ? "1=1" : "title like '%$skey%'";//注入 $_Obj->field("id,uid,classid,smallmemo,title,photo,photo_s,addtime,hits,isphoto,levels,top,flashpic,special,reply"); $_Obj->pageSize = 40; $_Obj->where($where); $objAry = $_Obj->getList(); $categoryObj = M("category"); $classId = intval($_GET['classid']); $isParent = $categoryObj->ifHavePid($classId); $categoryAry = array(); if (empty($classId)) { //没有栏目ID $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = 0")->limit(1000)->find(); } else if ($isParent) { //有子栏目 $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = " . $classId)->limit(1000)->find(); } else { //无子栏目 $pObj = $categoryObj->load($classId); $pId = $pObj->pid; $categoryAry = $categoryObj->field("id, pid, name")->where("mid=1 and pid = " . $pId)->limit(1000)->find(); } //关键字 ### 漏洞证明： 测试方法 127.0.0.1/tccms//index.php?ac=index_search key=1111111121' 可以绕过防注入的~~ [<img src="https://images.seebug.org/upload/201311/2219213670b949a3e4678b928b87d4d8341cb022.jpg" alt="QQ截图20131122191529.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/2219213670b949a3e4678b928b87d4d8341cb022.jpg)