topicadmin.php文件中的下面代码中,一看就是$accessadd1、$accessadd2这两个变量没有初始化。有可能引发SQL注射攻击。但实际我也没有时间和精力去测试。毕竟如果可以利用的话,要有一定权限哦。有兴趣的朋友可以自己看看。
if($adminid == 3) {
if($accessmasks) {
$accessadd1 = ', a.allowview, a.allowpost, a.allowreply, a.allowgetattach, a.allowpostattach';
$accessadd2 = "LEFT join {$tablepre}access a ON a.uid='$discuz_uid' AND a.fid='$moveto'";
}
$query = $db->query("select ff.postperm, m.uid AS istargetmod $accessadd1
FROM {$tablepre}forumfields ff
$accessadd2
LEFT join {$tablepre}moderators m ON m.fid='$moveto' AND m.uid='$discuz_uid'
where ff.fid='$moveto'");
$priv = $db->fetch_array($query);
if((($priv['postperm'] && !in_array($groupid, explode("\t", $priv['postperm']))) || ($accessmasks && ($priv['allowview'] || $priv['allowreply'] || $priv['allowgetattach'] || $priv['allowpostattach']) && !$priv['allowpost'])) && !$priv['istargetmod']) {
showmessage('admin_copy_nopermission');
}
}
if($accessmasks) {
$accessadd1 = ', a.allowview, a.allowpost, a.allowreply, a.allowgetattach, a.allowpostattach';
$accessadd2 = "LEFT join {$tablepre}access a ON a.uid='$discuz_uid' AND a.fid='$moveto'";
}
$query = $db->query("select ff.postperm, m.uid AS istargetmod $accessadd1
FROM {$tablepre}forumfields ff
$accessadd2
LEFT join {$tablepre}moderators m ON m.fid='$moveto' AND m.uid='$discuz_uid'
where ff.fid='$moveto'");
$priv = $db->fetch_array($query);
if((($priv['postperm'] && !in_array($groupid, explode("\t", $priv['postperm']))) || ($accessmasks && ($priv['allowview'] || $priv['allowreply'] || $priv['allowgetattach'] || $priv['allowpostattach']) && !$priv['allowpost'])) && !$priv['istargetmod']) {
showmessage('admin_copy_nopermission');
}
}
