佚名MYHACK58:62201235039Modoer. system of injection of several versions through the kill-vulnerability warning-the black bar safety net
Not to force the injection, to engage a station dig of, search it’s a large station with this little impact on the issue to share learning, nonsense not say more, see our pork point~~~~~
First\core\modules\item\ajax. php start calling~
$do = trim($_GET[‘do’]); $op = trim($_GET[‘op’]); // allows the operating behavior of the $allowacs = array( ‘respond’, ‘review’, ‘subject’, ‘picture’, ‘guestbook’); // By. Rices -> Forum: T00ls.Net -> Blog: Rices. so // require login operation $loginacs = array( ‘post_respond’, ‘delete_respond’, ‘add_flower’, ‘post_membereffect’, ‘add_favorite’, ‘post_guestbook’ ); // return address $_G[‘forward’] = $_G[‘web’][‘referer’] ? $_G[‘web’][‘referer’] : $_G[‘cfg’][‘siteurl’]; $act = empty($do) || ! in_array($do, $allowacs) ? ": $do; if(!$ do) redirect(‘global_op_unkown’); include MOD_ROOT . ‘ajax’ . DS . $do . ‘. php’; //op=get_membereffect&do=subject 开始 调用 subject.php
\core\modules\item\ajax\subject.php 1 4 8 rows
case ‘get_membereffect’: if(!$ sid = _post(‘sid’, 0, ‘intval’)) redirect(lang(‘global_sql_keyid_invalid’, ‘sid’)); if(! isset($_POST[‘effect’])) redirect(lang(‘member_effect_unkown_effect’)); $S =& $_G[‘loader’]->model(‘item:subject’); if(!$ subject = $S->read($sid,‘pid,name,subname,pid,status’,false)) redirect(lang(‘item_empty’)); if(!$ model = $S->get_model($subject[‘pid’], TRUE)) redirect(‘item_model_empty’); // By. Rices -> Forum: T00ls.Net -> Blog: Rices. so $idtype = $model[‘tablename’]; $effect = $_POST[‘effect’]; //not filtered $M =& $_G[‘loader’]->model(‘member:membereffect’); $M->add_idtype($idtype, ‘subject’, ‘sid’); if($_POST[‘member’] && $_POST[‘member’] != ‘0’) { if($list = $M->get_member($sid, $idtype, $effect)) { //start of injection get_member function in\core\modules\member\model\membereffect_class. php file while($val = $list->fetch_array()) { echo ‘<li><div><a title="’.$ val[‘username’].‘" href target=“_blank”><img src />’.$ val[‘username’].‘</ a></div></li>’; } } else { redirect(‘global_empty_info’); } } else { $totals = $M->total($sid, $idtype); if($totals) { foreach($totals as $key => $val) { if(substr($key, 0, 6) == ‘effect’) { echo $split . $val; $split = ‘|’; } } } else { echo ‘0/0’; } } output(); break;
\core\modules\member\model\membereffect_class.php 8 line 6
function get_member($id, $idtype, $effect) { $this->db->from($this->table); $this->db->where(‘id’, $id); //where the function will use the addslashes processing the second parameter of $this->db->where(‘idtype’, $idtype); $this->db->where($effect, 1); //The first parameter is only a simple verification and no quotation marks surrounding directly into the where function to continue injection… return $this->db->get(); //after the where after processing proceeds to the get implementation.~}
\core\lib\database.php 1 5 5 rows
// Set the query field function where($key, $value=“, $split=‘AND’) { if(is_array($key)) { foreach ($key as $k => $v) { if(is_array($v) && count($v)==2 && is_array($v[1])) { echo “.$ k.$ v.”; $fun = $v[0]; $args = array_merge(array($k), $v[1]); call_user_func_array(array(&$this, $fun), $args); } else { $this->where($k, $v, $split); } } // By. Rices -> Forum: T00ls.Net -> Blog: Rices. so } elseif($key==‘{sql}’) { $this->_exp_where(‘sql’, $value, $split); } elseif(is_array($value)) { $this->where_in($key, $value, $split); } else { //the key is here the first parameter is not filtered if the controlled value in value no. $where = $this->_ck_field($key) . the " = " . $this->_escape($value); //_escape will use the addslashes process value //and _ck_field will only use preg_match(”/['\"<>]+/", $field)to deal with as long as the $key value didn’t single quotes you can bypass the $this->where .= ($this->where ? "$split " : ") . $where; //echo $where; } }
! [](/Article/UploadPic/2012-9/2 0 1 2 9 2 6 1 7 1 2 4 8 3 9 6 3 6. png)