tccms v8 注入一枚

### 简要描述： 过滤不严。 ### 详细说明： 在app/controller/picture.class.php 中 ``` public $objName = 'picture'; public function all() { $_Obj = M($this->objName); $categoryObj = M("category"); $_Obj->pageSize = 20; $where = "1=1"; $key = $_POST['key']; $cid = $_GET['cid']; if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'"; } if (!empty($cid) && $cid != "") { $where .= " and classid = " . $cid; } if ($_GET["type"] == "user") { $where .= " and uid = " . $_COOKIE['userId']; } if (isset($_GET['yz'])) { $where .= " AND yz =".$_GET['yz']; } if (isset($_GET['levels'])) { $where .= " AND levels =".$_GET['levels']; } if (isset($_GET['special'])) { $where .= " AND special =".$_GET['special']; } if (isset($_GET['top'])) { $where .= " AND top =".$_GET['top']; } if (isset($_GET['flashpic'])) { $where .= " AND flashpic =".$_GET['flashpic']; } $_Obj->setSortId(); $orderBy = $_GET['sortId']; $_objAry = $_Obj->where($where)->orderby("id ".$orderBy)->getList(); ``` 然后就带入查询咯。 if ($key != "") { $where .= " and id = '" . $key . "' or title like '%$key%'"; 只有这个加了单引号 剩下的其他的都没单引号。 但是$_GET 连逗号都过滤了。 不太好用来延时。 所以还是用$_COOKIE的那个把。， 过滤了and 和 or 就用&& 来代替吧。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201402/151642479123202de51d2ed3a2b0168207879e15.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/151642479123202de51d2ed3a2b0168207879e15.jpg) [<img src="https://images.seebug.org/upload/201402/151642572e6340c5d0781eab339a8b8c76b51c47.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/151642572e6340c5d0781eab339a8b8c76b51c47.jpg) [<img src="https://images.seebug.org/upload/201402/15164306c343eddb441d7a97551c91d6639353e2.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/15164306c343eddb441d7a97551c91d6639353e2.jpg)