By:毅心毅意
为了响应oldjun的号召。。发点小洞........呵呵..给位给力吧。荣誉会员等着你。。话说心灵美眉还不给力啊。珍藏这么多0day干嘛啊。来t00ls了都没看到你发漏洞.没来之前看了你很多漏洞..很崇拜..呵呵
这个漏洞蛮有趣的...
首先他把post和get给整合了..但是没在意到post和get的区别。。你get %27 gpc会影响吧。。但是你post %27 gpc不会影响吧..呵呵看代码
| function onsearch() { $navtitle = '搜索问题'; $qstatus = $status = $this->get[2]; (3 == $status) && ($qstatus = "1,2"); @$word = urldecode($this->post['word'] ? $this->post['word'] : $this->get[3]);//看这里..如果你get %27 他会过滤.. 如果你get %2527 他会处理成%27.。不会产生注入..但是如果post %27呢 。。成功绕过过滤 empty($word) && $this->message("搜索关键!", 'BACK'); $encodeword = urlencode($word); @$page = max(1, intval($this->get[4])); $pagesize = $this->setting['list_default']; $startindex = ($page - 1) * $pagesize; //每页面显示25条 $rownum = $_ENV['question']->search_title_num($word, $qstatus); //获取总的记录数 $questionlist = $_ENV['question']->search_title($word, $qstatus, $startindex, $pagesize); //问题列表数据 $departstr = page($rownum, $pagesize, $page, "question/search/$status/$word"); //得到分页字符串 $this->load('setting'); $wordslist = unserialize($this->setting['hot_words']); include template('search'); } |
利用方式:post 编码的sql注入语句...............
t00ls首发...转载请注明t00ls..谢谢