Tipask Q & amp; A system 1.3 injection vulnerability and repair

 

By: Yi Xin yi

To respond to the call of oldjun .. Send a small hole. An honorary member is waiting for you .. The mind is not powerful. Why are there so many 0-day collections. I didn't see your vulnerability when I came to t00ls. I saw many of your vulnerabilities before I came.

 

This vulnerability is quite interesting...

 

First, he integrated post and get... but he didn't care about the difference between post and get .. You get % 27 gpc will affect it .. However, your post % 27 gpc won't be affected.

 

Function onsearch (){

$ Navtitle = 'search question ';

$ Qstatus = $ status = $ this-> get [2];

(3 = $ status) & ($ qstatus = "1, 2 ");

@ $ Word = urldecode ($ this-> post ['word']? $ This-> post ['word']: $ this-> get [3]); // click here .. if you get % 27, it will filter out .. if you get % 2527, it will be processed as % 27 .. No injection will be generated. But what if post % 27 is used .. Filter Bypass successful

Empty ($ word) & $ this-> message ("key to search! ", 'Back ');

$ Encodeword = urlencode ($ word );

 

@ $ Page = max (1, intval ($ this-> get [4]);

$ Pagesize = $ this-> setting ['list _ default'];

 

$ Startindex = ($ page-1) * $ pagesize; // 25 entries per page

$ Rownum = $ _ ENV ['question']-> search_title_num ($ word, $ qstatus); // obtain the total number of records

$ Questionlist = $ _ ENV ['question']-> search_title ($ word, $ qstatus, $ startindex, $ pagesize); // list of problem Data

$ Response STR = page ($ rownum, $ pagesize, $ page, "question/search/$ status/$ word"); // obtain the paging string

$ This-> load ('setting ');

$ Wordslist = unserialize ($ this-> setting ['hot _ word']);

Include template ('search ');

}

 

 

Usage method: post-encoded SQL Injection statements ...............

Www.2cto.com: Check the code Filter

T00ls initial... reprinted please indicate t00ls... thank you