齐博CMS 二次注入3

### 简要描述： 奇博地方门户V5.0，二次注入 ### 详细说明： /news/js.php中 ``` if($type=='hot'||$type=='com'||$type=='new'||$type=='lastview'||$type=='like') { if($f_id) { if(is_numeric($f_id)){ $SQL=" fid=$f_id "; }else{ $detail=explode(",",$f_id); $SQL=" fid IN ( ".implode(",",$detail)." ) "; } } else { $SQL=" 1 "; } if($type=='com') { $SQL.=" AND levels=1 "; $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='hot') { $ORDER=' hits '; $_INDEX=" USE INDEX ( hits ) "; } elseif($type=='new') { $ORDER=' list '; $_INDEX=" USE INDEX ( list ) "; } elseif($type=='lastview') { $ORDER=' lastview '; $_INDEX=" USE INDEX ( lastview ) "; } elseif($type=='like') { $SQL.=" AND id!='$id' "; if(!$keyword) { extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'")); } if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); //URLDECODE解码 $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; } $_INDEX=" USE INDEX ( list ) "; $ORDER=' list '; } $SQL=" $_INDEX WHERE $SQL AND yz=1 ORDER BY $ORDER DESC LIMIT $rows"; $which='*'; $_target=$target?'_blank':'_self'; if($path){ $_path=preg_replace("/(.*)\/([^\/]+)/is","\\1/",$WEBURL); } if($icon==1){ $_icon="·"; }else{ $_icon="&nbsp;"; } $listdb=listcontent($SQL,$which,$leng); foreach($listdb AS $key=>$rs) { $show.="$_icon<A target='$_target' HREF='{$_path}bencandy.php?fid=$rs[fid]&id=$rs[id]' title='$rs[full_title]'>$rs[title]</A> "; } if(!$show){ $show="暂无..."; } ``` 起初总是不成功，后来才看到，下面代码$keyword进入explode函数，将空格拆分了，所以使用/**/替换 ``` if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; } ``` ### 漏洞证明： 还是使用，qibo的成功案例网站 http://tongyuxian.com/ [<img src="https://images.seebug.org/upload/201411/1607510366b51fb86d9b6d602bedd88387dc714c.jpg" alt="zcc.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1607510366b51fb86d9b6d602bedd88387dc714c.jpg)