Anwsion(v1.1-Beta4) 注入漏洞（转载）

该问题已被锁定！

1: 关注

1398: 浏览

原文地址：h t t p://rices.so/2743-10-26.html

	public function explore_action()
	{
		// 省略........... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
		if ($_GET['category'])
		{
			if (is_numeric($_GET['category'])) //据说以前这里也可以注射  所以被isnum了..
			{
				$category_info = $this->model('system')->get_category_info($_GET['category']);
			}
			/*
					省略......
				*/
		// 注射开始! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
		if (TPL::is_output('block/content_question.tpl.htm', 'home/explore'))
		{
			if (! $_GET['sort_type'])
			{
				$_GET['sort_type'] = 'new';
			}
 
			if ($_GET['sort_type'] == 'unresponsive')
			{
				$_GET['answer_count'] = '0';
			}
			$question_list = $this->model('question')->get_questions_list($_GET['page'], get_setting('contents_per_page'), $_GET['sort_type'], $_GET['topic_id'], $this->user_id, $category_info['id'], $_GET['answer_count'], $_GET['day']);
			//$_GET['topic_id']直接带入了 fvck.fvck! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
			TPL::assign('question_list', $question_list);
			TPL::assign('question_list_bit', TPL::output('question/ajax/list', false));
	 // 省略....

	public function get_questions_list($page = 1, $pre_page = 10, $sort = 'hot', $topic_id = 0, $uid = null, $category_id = null, $answer_count = null, $day = 30)
	{
		$uid = intval($uid);
 
		$user_id_list = array();
 
		$user_info_list = array();
		$user_list = array();
		$question_info_list = array();
		$question_list = array();
		$limit = calc_page_limit($page, $pre_page);
 
		if ($sort == 'hot')
		{
			$question_info_list = $this->get_hot_question($category_id, $topic_id, $limit, $day);
						//继续带入$topic_id  By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
		}
				//省略...... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
	public function get_hot_question($category_id = 0, $topic_id = null, $limit = '0, 10', $day = 30)
	{
		$day = intval($day);
 
		if (!$day)
		{
			$add_time = '0';
		}
		else if ($day == 1)
		{
			$add_time = strtotime('-1 day');
		}
		else
		{
			$add_time = strtotime('-' . $day . 'day');
		}
 
		if ($category_id)
		{
			$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND focus_count > 0 AND agree_count > 0 AND answer_count > 0 AND category_id IN(" . implode(',', $this->model('system')->get_category_with_child_ids('question', $category_id)) . ')');
 
		}
		else if ($topic_id)// 开始了
		{
			$topic_ids = array();
 
			if (is_array($topic_id))
			{
				$topic_ids = $topic_id;
			}
			else
			{
				$topic_ids[] = $topic_id;
			}
			//无任何过滤 又带入了get_question_ids_by_topics_ids函数 By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
			if ($question_ids = $this->model('topic')->get_question_ids_by_topics_ids($topic_ids, 10, null, 'question_id DESC'))
			{
				$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND question_id IN(" . implode(',', $question_ids) . ')', 'popular_value DESC', $limit);
			}
		}
		else
		{
			$question_all = $this->fetch_all('question', 'add_time > ' . $add_time, 'popular_value DESC', $limit);
		}
 
		return $question_all;
	}
	function get_question_ids_by_topics_ids($topic_ids, $limit, $where = null, $order = 'update_time DESC')
	{
 
		if (!is_array($topic_ids))
		{
			$topic_id_in = $topic_ids;
		}
		else
		{
			$topic_id_in = implode(',', $topic_ids);
		}
		if ($where)
		{
			$where = ' AND ' . $where;
		}
 
		$_order = explode(' ', $order);
 
		if (!$where AND $_order[0] == 'question_id')
		{
			$result = $this->query_all("SELECT question_id FROM " . $this->get_table('topic_question') . " WHERE topic_id IN (" . $topic_id_in . ") ORDER BY " . $order, $limit);
// 直接入库执行了, 注射产生~~  By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
		}
		else
		{ //省略....

不知修复了没？

好问题 0 评论收藏举报

AI智能回复搜索中，请稍后...

0 回答

暂无回答

问题动态

发布时间: 2012-11-06 17:36

更新时间: 2012-11-06 17:36

关注人数: 1 人关注

Anwsion(v1.1-Beta4) 注入漏洞（转载）

Anwsion(v1.1-Beta4) 注入漏洞（转载）

0 评论

问题动态

相关问题