Modoer Reviews system injection of several versions of kill

The injection is not powerful. I have dug a website and checked it out. There is no big station to use. This has little impact on people's communication and learning. I don't talk much about it, look at our pork site ~~~~~

Start calling \ core \ modules \ item \ ajax. php ~

$ Do = trim ($ _ GET ['do ']);
$ Op = trim ($ _ GET ['op']);
// Permitted Operation Behavior
$ Allowacs = array ('respond', 'review', 'subobject', 'picture ', 'guestbook ');
// By. Rices-> Forum: T00ls. Net-> Blog: Rices. so
// Logon operation
$ Loginacs = array ('Post _ respond', 'delete _ respond', 'add _ flower', 'Post _ membereffect ', 'add _ favorite ', 'Post _ guestbook ');
// Return address
$ _ G ['forward '] = $ _ G ['web'] ['Referer']? $ _ G ['web'] ['Referer']: $ _ G ['cfg '] ['siteurl'];

$ Act = empty ($ do) |! In_array ($ do, $ allowacs )? '': $ Do;

If (! $ Do) redirect ('Global _ op_unkown ');
Include MOD_ROOT. 'ajax '. DS. $ do. '. php '; // op = get_membereffect & do = subject to call subject. php \ core \ modules \ item \ ajax \ subject. php 148 lines

Case 'get _ membereffect ':

If (! $ Sid = _ post ('sid ', 0, 'intval') redirect (lang ('Global _ SQL _keyid_invalid ', 'sid '));
If (! Isset ($ _ POST ['effect']) redirect (lang ('Member _ effect_unkown_effect '));
$ S = & $ _ G ['loader ']-> model ('item: subobject ');
If (! $ Subject = $ S-> read ($ sid, 'pid, name, subname, pid, status', false) redirect (lang ('item _ empty '));
If (! $ Model = $ S-> get_model ($ subject ['pid'], TRUE) redirect ('item _ model_empty ');
// By. Rices-> Forum: T00ls. Net-> Blog: Rices. so
$ Idtype = $ model ['tablename'];
$ Effect = $ _ POST ['effect ']; // not filtered

$ M = & $ _ G ['loader ']-> model ('Member: membereffect ');
$ M-> add_idtype ($ idtype, 'subobject', 'sid ');

If ($ _ POST ['member'] & $ _ POST ['member']! = '0 '){
If ($ list = $ M-> get_member ($ sid, $ idtype, $ effect )) {// The get_member function starts the injection in the \ core \ modules \ member \ model \ membereffect_class.php file.
While ($ val = $ list-> fetch_array ()){
Echo '<li> <div> <a title = "'. $ val ['username']. '"href = "'. url ("space/index/uid/$ val [uid]"). '"target =" _ blank "> '. $ val ['username']. '</a> </div> </li> ';
}
} Else {
Redirect ('Global _ empty_info ');
}
} Else {
$ Totals = $ M-> total ($ sid, $ idtype );
If ($ totals ){
Foreach ($ totals as $ key => $ val ){
If (substr ($ key, 0, 6) = 'effect '){
Echo $ split. $ val;
$ Split = '| ';
}
}
} Else {
Echo '0 | 0 ';
}
}
Output ();
Break; \ core \ modules \ member \ model \ memberrentt_class.php 86

Function get_member ($ id, $ idtype, $ effect ){
$ This-> db-> from ($ this-> table );
$ This-> db-> where ('id', $ id); // The where function uses addslashes to process the second parameter.
$ This-> db-> where ('idtype', $ idtype );
$ This-> db-> where ($ effect, 1); // The first parameter only has simple verification and is directly inserted into the where function without double quotation marks for further injection ....
Return $ this-> db-> get (); // After where processing, get is executed ~
} \ Core \ lib \ database. php line 155

// Set the query field
Function where ($ key, $ value = '', $ split = 'and '){

If (is_array ($ key )){
Foreach ($ key as $ k => $ v ){
If (is_array ($ v) & count ($ v) = 2 & is_array ($ v [1]) {
Echo ''. $ k. $ v .'';
$ Fun = $ v [0];
$ Args = array_merge (array ($ k), $ v [1]);
Call_user_func_array (array (& $ this, $ fun), $ args );
} Else {
$ This-> where ($ k, $ v, $ split );
}
}
// By. Rices-> Forum: T00ls. Net-> Blog: Rices. so
} Elseif ($ key = '{SQL }'){
$ This-> _ exp_where ('SQL', $ value, $ split );
} Elseif (is_array ($ value )){
$ This-> where_in ($ key, $ value, $ split );
} Else {
// The key is that the first parameter here is not filtered. If the controllable value is in value, there is no way.
$ Where = $ this-> _ ck_field ($ key). "=". $ this-> _ escape ($ value );
// _ Escape uses addslashes to process the value
// While _ ck_field only uses preg_match ("/[\ '\" \ <\>] +/", $ field) as long as the $ key value does not have single quotes, it can be bypassed.
$ This-> where. = ($ this-> where? "$ Split": ''). $ where;
// Echo $ where;
}
}


 

This is a bit interesting. It filters out the value but does not filter the key so .. if you are interested, you can dig it and see that as long as the first value of the where function is controllable, you can easily deal with it ~