好得很程序员自学网

<tfoot draggable='sEl'></tfoot>

易想团购开源版#sql注入两个 - 网站安全 - 自学

http://127.0.0.1/easethink/message.php?act= 

 

  if($_REQUEST['act'] == 'add') { if(!$user_info) { showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']); } if($_REQUEST['content']=='') { showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']); } if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0)) { showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']); } $rel_table = $_REQUEST['rel_table']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'"); if(!$message_type) { showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']); } $message_group = $_REQUEST['message_group']; //添加留言 $message['title'] = htmlspecialchars(addslashes($_REQUEST['content'])); $message['content'] = htmlspecialchars(addslashes($_REQUEST['content'])); if($message_group) { $message['title']="[".$message_group."]:".$message['title']; $message['content']="[".$message_group."]:".$message['content']; } $message['create_time'] = get_gmtime(); $message['rel_table'] = $rel_table; $message['rel_id'] = $_REQUEST['rel_id']; $message['user_id'] = intval($GLOBALS['user_info']['id']); $message['city_id'] = $deal_city['id']; if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0) { $message_effect = 0; } else { $message_effect = $message_type['is_effect']; } $message['is_effect'] = $message_effect; $GLOBALS['db']->autoExecute(DB_PREFIX."message",$message); showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']); } else { $rel_table = $_REQUEST['act']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");

 

参数act 未做过滤导致直接带入 数据库 查询。导致注入。

http://127.0.0.1/easethink/link.php?act=go&city=fujian&url=

  if($_REQUEST['act']=='go') { $url = ($_REQUEST['url']); $link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1"); if($link_item) { if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id'])) $GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']); $url = "http://".$url; } else { $url = APP_ROOT."/"; } app_redirect($url); }

 

url参数未做过滤直接带入数据库 导致sql注入

 

修复方案:

过滤

查看更多关于易想团购开源版#sql注入两个 - 网站安全 - 自学的详细内容...

声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did15652
  阅读:75次

上一篇: 洽洽食品某系统IIS配置不当导致任意代码执行

下一篇:ECSHOP 后台sql注入漏洞2枚(鸡肋) - 网站安全 -

相关资讯