Modoer点评系统注射几个版本通杀

不给力的注射, 搞某站挖的, 查了下没什么大站用这个 影响不大 发出来大家交流学习, 废话不多说, 看我们的猪肉点~~~~~

首先\core\modules\item\ajax.php开始调用~

$do = trim($_GET['do']);
$op = trim($_GET['op']);
// 允许的操作行为
$allowacs = array( 'respond', 'review', 'subject', 'picture', 'guestbook');
// By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
// 需要登录的操作
$loginacs = array( 'post_respond', 'delete_respond', 'add_flower', 'post_membereffect', 'add_favorite', 'post_guestbook' );
// 可返回地址
$_G['forward'] = $_G['web']['referer'] ? $_G['web']['referer'] : $_G['cfg']['siteurl'];

$act = empty($do) || !in_array($do, $allowacs) ? '' : $do;

if(!$do) redirect('global_op_unkown');
include MOD_ROOT . 'ajax' . DS . $do . '.php';  //op=get_membereffect&do=subject 开始调用subject.php\core\modules\item\ajax\subject.php 148行

case 'get_membereffect':

    if(!$sid = _post('sid', 0, 'intval')) redirect(lang('global_sql_keyid_invalid', 'sid'));
    if(!isset($_POST['effect'])) redirect(lang('member_effect_unkown_effect'));
    $S =& $_G['loader']->model('item:subject');
    if(!$subject = $S->read($sid,'pid,name,subname,pid,status',false)) redirect(lang('item_empty'));
    if(!$model = $S->get_model($subject['pid'], TRUE)) redirect('item_model_empty');
    // By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
    $idtype = $model['tablename'];
    $effect = $_POST['effect']; //没过滤

    $M =& $_G['loader']->model('member:membereffect');
    $M->add_idtype($idtype, 'subject', 'sid');

    if($_POST['member'] && $_POST['member'] != '0') {
        if($list = $M->get_member($sid, $idtype, $effect)) { //注射开始 get_member函数在\core\modules\member\model\membereffect_class.php文件中
            while($val = $list->fetch_array()) {
                echo '<li><div><a title="'.$val['username'].'" href="'.url("space/index/uid/$val[uid]").'" target="_blank"><img src="'.get_face($val['uid']).'" />'.$val['username'].'</a></div></li>';
            }
        } else {
            redirect('global_empty_info');
        }
    } else {
        $totals = $M->total($sid, $idtype);
        if($totals) {
            foreach($totals as $key => $val) {
                if(substr($key, 0, 6) == 'effect') {
                    echo $split . $val;
                    $split = '|';
                }
            }
        } else {
            echo '0|0';
        }
    }
    output();
    break;\core\modules\member\model\membereffect_class.php 86行

function get_member($id, $idtype, $effect) {
    $this->db->from($this->table);
    $this->db->where('id', $id); //where函数会使用addslashes处理第二个参数
    $this->db->where('idtype', $idtype);
    $this->db->where($effect, 1); //第一个参数只有简单的验证 且无双引号包围 直接带入where函数 继续注射....
    return $this->db->get(); //经过where处理后就进入get执行了~
}\core\lib\database.php 155行

• 没有相关文章