漏洞文件:comments.php viewimg.php <? //comments include "mainfile.php"; $art=new article(); //设定 $confirm='yes';//yes:需要管理员认证后才能显示,no:直接显示 $member=new member(); $user_info=$member->member_auth(); $ulevel=$user_info[user_level]; ########设置############# $action = $_REQUEST[action]; $page="10";// $need_user = "0";// $id = $_REQUEST[id];// //对ID参数完全没过滤 $fdb = $PlusDB->prefix(forum);//评论的数据库 switch($action){ case "showNum": $sql="select count(*) as num from ".$fdb." where post_aid='$id'"; $showNum=$PlusDB->getone($sql); echo " function comment(id) { var page = \"".PLUS_URL."/comments.php?id=\" + id ; popwin = window.open(page,\"\",\"width=460,height=500,scrollbars,resizable\") popwin.focus(); } document.open(); document.write(\"<a href=\\\"javascript:comment('$id')\\\" title=\\\""._LANG_0930."\\\">"._LANG_0931." $showNum...
漏洞文件:comments.php viewimg.php <? //comments include "mainfile.php"; $art=new article(); //设定 $confirm='yes';//yes:需要管理员认证后才能显示,no:直接显示 $member=new member(); $user_info=$member->member_auth(); $ulevel=$user_info[user_level]; ########设置############# $action = $_REQUEST[action]; $page="10";// $need_user = "0";// $id = $_REQUEST[id];// //对ID参数完全没过滤 $fdb = $PlusDB->prefix(forum);//评论的数据库 switch($action){ case "showNum": $sql="select count(*) as num from ".$fdb." where post_aid='$id'"; $showNum=$PlusDB->getone($sql); echo " function comment(id) { var page = \"".PLUS_URL."/comments.php?id=\" + id ; popwin = window.open(page,\"\",\"width=460,height=500,scrollbars,resizable\") popwin.focus(); } document.open(); document.write(\"<a href=\\\"javascript:comment('$id')\\\" title=\\\""._LANG_0930."\\\">"._LANG_0931." $showNum "._LANG_0932."</a>\"); document.close();"; break; case "saveComment": <? //image.php 显示附件的图片 include "mainfile.php"; $member=new member(); $confirm==false;//true 会员才能看,false 都能看 $user_info = $member->member_auth(); if($user_info[user_level]=="Guest" && $confirm==true){ include "modules/member/index.php"; }else{ $imgdb = $PlusDB->prefix(images); $id=$_GET[id]; //米过滤,为什么他要直接获得啊! $aid = $_GET[aid]; //难道赶着吃晚饭? $sql="select id from $imgdb where aid=$aid order by id "; Cmsez Web Content Manage System v2.0.0 <a href=http://www.cmsez.com/ target=_blank>http://www.cmsez.com/</a>
