topicadmin.php文件中的下面代码中,一看就是$accessadd1、$accessadd2这两个变量没有初始化。有可能引发SQL注射攻击。但实际我也没有时间和精力去测试。毕竟如果可以利用的话,要有一定权限哦。有兴趣的朋友可以自己看看。if($adminid == 3) {if($accessmasks) {$accessadd1 = ‘, a.allowview, a.allowpost, a.allowreply, a.allowgetattach, a.allowpostattach’;$accessadd2 = “LEFT join {$tablepre}access a ON a.uid=’$discuz_uid’ AND a.fid=’$moveto'”;}$query = $db->query(“select ff.postperm, m.uid AS istargetmod $accessadd1FROM {$tablepre}forumfields ff$accessadd2LEFT join {$tablepre}moderators m ON m.fid=’$moveto’ AND m.uid=’$discuz_uid’where ff.fid=’$moveto'”);$priv = $db->fetch_array($query);if((($priv[‘postperm’] && !in_array($groupid, explode(“\t”, $priv[‘postperm’]))) || ($accessmasks && ($priv[‘allowview’] || $priv[‘allowreply’] || $priv[‘allowgetattach’] || $priv[‘allowpostattach’]) && !$priv[‘allowpost’])) && !$priv[‘istargetmod’]) {showmessage(‘admin_copy_nopermission’);}} 你不怕困难,困难就怕你。
