### 简要描述:
rt
### 详细说明:
ourphp.net官网
共有三个帐号测试
```
admin@qq.com
admin@qq.cn
admin@qq.org
```
用admin@qq.com给 admin@qq.cn发一个站内信 站内信的ID为1
再用admin@qq.cn给admin@qq.org发一个站内信 站内信的ID为2
接着登录admin@qq.com
访问http://localhost/client/user/ourphp_mail.php?id=1
[<img src="https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png" alt="NS4DVZ7KQ~JBMX2OEU9__PR.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png)
再访问http://localhost/client/user/ourphp_mail.php?id=2
[<img src="https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png" alt="}~PE1{5Q5}QM3FSH%6E`ETC.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png)
admin@qq.cn给admin@qq.org发的站内信我们也可以看。 看一下代码
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title></title>
</head>
<body>
<?php
/*
* Ourphp - CMS建站系统
* Copyright (C) 2014 ourphp.net
* 开发者:哈尔滨伟成科技有限公司
*/
include '../../config/ourphp_code.php';
include '../../config/ourphp_config.php';
include '../../config/ourphp_version.php';
include '../../config/ourphp_Language.php';
include '../../function/ourphp_function.class.php';
$id = intval($_GET['id']);
session_start();
if(!isset($_SESSION['username'])){
exit("no!");
}
$sql="select OP_Usersend,OP_Usercollect,OP_Usercontent,time from `ourphp_usermessage` where id = ".$id;
$query=mysql_query($sql);
$ourphp_rs=mysql_fetch_array($query)
?>
<table width="90%" border="0" cellpadding="10" style="font-size:12px;">
<tr>
<td width="150"><div align="right">发件人:</div></td>
<td> <?php if($ourphp_rs[0] == $_SESSION['username']){ echo '我';}else{ echo $ourphp_rs[0];} ?></td>
</tr>
<tr>
<td><div align="right">收件人:</div></td>
<td> <?php echo $ourphp_rs[1]; ?></td>
</tr>
<tr>
<td valign="top"><div align="right">收件内容:</div></td>
<td> <?php echo $ourphp_rs[2]; ?></td>
</tr>
<tr>
<td><div align="right">时间:</div></td>
<td> <?php echo $ourphp_rs[3]; ?></td>
</tr>
</table>
<?php
mysql_free_result($query);
?>
</body>
</html>
```
没有进行任何限制 直接读数据
### 漏洞证明:
共有三个帐号测试
```
admin@qq.com
admin@qq.cn
admin@qq.org
```
用admin@qq.com给 admin@qq.cn发一个站内信 站内信的ID为1
再用admin@qq.cn给admin@qq.org发一个站内信 站内信的ID为2
接着登录admin@qq.com
访问http://localhost/client/user/ourphp_mail.php?id=1
[<img src="https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png" alt="NS4DVZ7KQ~JBMX2OEU9__PR.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081657471f1fd894ab89954d1482f3a4e09ff6a9.png)
再访问http://localhost/client/user/ourphp_mail.php?id=2
[<img src="https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png" alt="}~PE1{5Q5}QM3FSH%6E`ETC.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08165843f1bf9946360cd7ac06fc999e58d14d76.png)
admin@qq.cn给admin@qq.org发的站内信我们也可以看。 看一下代码
client/user/ourphp_mail.php
```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title></title>
</head>
<body>
<?php
/*
* Ourphp - CMS建站系统
* Copyright (C) 2014 ourphp.net
* 开发者:哈尔滨伟成科技有限公司
*/
include '../../config/ourphp_code.php';
include '../../config/ourphp_config.php';
include '../../config/ourphp_version.php';
include '../../config/ourphp_Language.php';
include '../../function/ourphp_function.class.php';
$id = intval($_GET['id']);
session_start();
if(!isset($_SESSION['username'])){
exit("no!");
}
$sql="select OP_Usersend,OP_Usercollect,OP_Usercontent,time from `ourphp_usermessage` where id = ".$id;
$query=mysql_query($sql);
$ourphp_rs=mysql_fetch_array($query)
?>
<table width="90%" border="0" cellpadding="10" style="font-size:12px;">
<tr>
<td width="150"><div align="right">发件人:</div></td>
<td> <?php if($ourphp_rs[0] == $_SESSION['username']){ echo '我';}else{ echo $ourphp_rs[0];} ?></td>
</tr>
<tr>
<td><div align="right">收件人:</div></td>
<td> <?php echo $ourphp_rs[1]; ?></td>
</tr>
<tr>
<td valign="top"><div align="right">收件内容:</div></td>
<td> <?php echo $ourphp_rs[2]; ?></td>
</tr>
<tr>
<td><div align="right">时间:</div></td>
<td> <?php echo $ourphp_rs[3]; ?></td>
</tr>
</table>
<?php
mysql_free_result($query);
?>
</body>
</html>
```
没有进行任何限制 直接读数据
京公网安备 11010502034610号
暂无评论