qibocms B2b 注入一枚

在news/js.php中
[php]
f($type=='hot'||$type=='com'||$type=='new'||$type=='lastview'||$type=='like')
{
if($f_id)
{
if(is_numeric($f_id)){
$SQL=" fid=$f_id ";
}else{
$detail=explode(",",$f_id);
$SQL=" fid IN ( ".implode(",",$detail)." ) ";
}
}
else
{
$SQL=" 1 ";
}
if($type=='com')
{
$SQL.=" AND levels=1 ";
$ORDER=' list ';
$_INDEX=" USE INDEX ( list ) ";
}
elseif($type=='hot')

{
$ORDER=' hits ';
$_INDEX=" USE INDEX ( hits ) ";
}
elseif($type=='new')
{
$ORDER=' list ';
$_INDEX=" USE INDEX ( list ) ";
}
elseif($type=='lastview')
{
$ORDER=' lastview ';
$_INDEX=" USE INDEX ( lastview ) ";
}
elseif($type=='like')
{
$SQL.=" AND id!='$id' ";
if(!$keyword)
{
extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'"));
}
if($keyword){
$SQL.=" AND ( ";
$keyword=urldecode($keyword);
$detail=explode(" ",$keyword);
unset($detail2);
foreach( $detail AS $key=>$value){
$detail2[]=" BINARY title LIKE '%$value%' ";
}
$str=implode(" OR ",$detail2);
$SQL.=" $str ) ";

}else{
$SQL.=" AND 0 ";[/php]
看到keyword 解码了。 所以无视了全局的转义了。然后用空格来切割。就不能用空格了。 官网测试成功。
4

发表评论