首发：http://ecma.io/706.html

第一部分 漏洞成因

漏洞出现在zentao\lib\base\dao\dao.class.php中的orderBy函数
~~~

public function orderBy($order)
{
    if($this->inCondition and !$this->conditionIsTrue) return $this;
    $order = str_replace(array('|', '', '_'), ' ', $order);
    / Add "`" in order string. /
    / When order has limit string. /
    $pos    = stripos($order, 'limit');
    $orders = $pos ? substr($order, 0, $pos) : $order;
    $limit  = $pos ? substr($order, $pos) : '';
    $orders = trim($orders);
    if(empty($orders)) return $this;
    if(!preg_match('/^(\w+.)?(\w+|\w+)( +(desc|asc))?( (, (\w+.)?(\w+|\w+)( +(desc|asc))?)?)$/i', $orders)) die("Order is bad request, The order is $orders");
    $orders = explode(',', $orders);
    foreach($orders as $i => $order*)