Z-Blog PHP version 3 low-privilege administrator POST injection

Register a reviewer account and you will be able to notice that the administrator can find the function where you accept the POST variable, so I think the problem lies in/zb_system/function/lib/dbsql. php.

Public function ParseWhere ($ where) {global $ zbp; $ sqlw = null; if (! Empty ($ where) {$ sqlw. = 'where'; $ comma = ''; foreach ($ WHERE as $ k => $ w) {$ eq = $ w [0]; if ($ eq = '| $ eq =' <'| $ eq ='> '| $ eq = 'like' | $ eq =' <> '| $ eq = '! = ') {$ X = (string) $ w [1]; $ y = (string) $ w [2]; $ y = $ zbp-> db-> EscapeString ($ y); $ sqlw. = $ comma. "$ x $ eq '$ y'";} if ($ eq = 'between') {$ b1 = (string) $ w [1]; $ b2 = (string) $ w [2]; $ b3 = (string) $ w [3]; $ sqlw. = $ comma. "$ b1 between' $ b2 'AND' $ b3'";} if ($ eq = 'search') {$ j = count ($ w ); $ SQL _search = ''; $ c =''; for ($ I = 1; $ I <= $ j-1-1; $ I ++) {$ x = (string) $ w [$ I]; $ y = (string) $ w [$ J-1]; $ y = $ zbp-> db-> EscapeString ($ y ); $ y = $ w [$ j- 1]; $ SQL _search. = $ c. "($ x LIKE '% $ y %')"; $ c = 'OR';} $ sqlw. = $ comma. '('. $ SQL _search. ')';} if ($ eq = 'array') {$ c = ''; $ SQL _array =''; if (! Is_array ($ w [1]) continue; if (count ($ w [1]) = 0) continue; foreach ($ w [1] as $ x => $ y) {$ y [1] = $ zbp-> db-> EscapeString ($ y [1]); $ SQL _array. = $ c. "$ y [0] = '$ y [1]'"; $ c = 'OR';} $ sqlw. = $ comma. '('. $ SQL _array. ')';} if ($ eq = 'custom') {$ sqlw. = $ comma. '('. $ w [1]. ')' ;}$ comma = 'and' ;}} echo $ sqlw; // By the way, you can write the SQL statement ehco. return $ sqlw ;}

 

The use of the injection method is the same as this: http://www.bkjia.com/Article/201312/267164.html, take sqlmap to run it out
  Solution:Filter all accepted POST values.