### 简要描述:
操蛋捏...
### 详细说明:
注意我测试的是2月16号下载的x2.4版本,可能不是最新的,感觉会重复...
找到https://images.seebug.org/upload/Admin/Lib/Action/TopicAction.class.php第41行
```
$topicname=$_POST['topicname'];//这里接受post过来的参数
if ($topicname) {
$count=$tModel->where("topicname LIKE '%$topicname%'")->count();//统计
} else {
$count=$tModel->count();
}
$p= new Page($count,20);
$page = $p->show("admin.php?s=/Topic/index/order/$order/p/");
if ($topicname) {//判断是否传入topicname参数
$content = $tModel->where("topicname LIKE '%$topicname%'")->order($condition)->limit($p->firstRow.','.$p->listRows)->select();//带入查询
} else {
$content = $tModel->order($condition)->limit($p->firstRow.','.$p->listRows)->select();
```
本地搭建然后去后台
[<img src="https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg" alt="QQ图片20140218184853.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18184954d5af659eebf7823c2b3bd0910293ea85.jpg)
搜索时抓包丢sqlmap
[<img src="https://images.seebug.org/upload/201402/1818503068a6463b7d1014e1a7c5c310005c0633.jpg" alt="QQ图片20140218184832.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/1818503068a6463b7d1014e1a7c5c310005c0633.jpg)
### 漏洞证明:
还有一处在https://images.seebug.org/upload/Admin/Lib/Action/UsersAction.class.php第72行:
```
public function search() {
$user_name=$_REQUEST['user_name'];//接受参数
$group=$_REQUEST['group'];
import("@.ORG.Page");
C('PAGE_NUMBERS',10);
$umodel=M('Users');
if ($group) {
if ($user_name) {
$where="user_name LIKE '%$user_name%' AND ";//带入sql语句
} else {
$where="";
}
if ($group=='all') {
$where.="1";
} else if ($group=='admin1') {
$where.="isadmin=1";
} else if ($group=='admin2') {
$where.="isadmin=2";
} else if ($group=='public') {
$where.="isadmin=0 AND userlock=0";
} else if ($group=='lock') {
$where.="userlock=1";
} else if ($group=='close') {
$where.="userlock=2";
} else if (is_numeric($group) && $group>0) {
$where.="user_auth='$group'";
}
$count=$umodel->where($where)->count();//统计查询
```
京公网安备 11010502034610号
暂无评论