VULHUB ™

### 简要描述： ### 详细说明： /app/controller/picture.class.php ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key'];//注入 $cid = $_GET['cid']; if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'";//注入 下面多处都是注入 } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; ``` ### 漏洞证明： 测试方法 打开 127.0.0.1/tccms//index.php?ac=picture_all POST提交 key=1111111121' [<img src="https://images.seebug.org/upload/201311/22190203c3ded3fae76ee615f29829787eceb803.jpg" alt="QQ截图20131122185726.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/22190203c3ded3fae76ee615f29829787eceb803.jpg)

### 简要描述： ### 详细说明： /app/controller/picture.class.php ``` public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key'];//注入 $cid = $_GET['cid']; if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'";//注入 下面多处都是注入 } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; ``` ### 漏洞证明： 测试方法 打开 127.0.0.1/tccms//index.php?ac=picture_all POST提交 key=1111111121' [<img src="https://images.seebug.org/upload/201311/22190203c3ded3fae76ee615f29829787eceb803.jpg" alt="QQ截图20131122185726.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/22190203c3ded3fae76ee615f29829787eceb803.jpg)