易想团购开源版#sql注入两个 – 网站安全 – 自学

时间: 2020-10-10|tag: 35次围观|0 条评论

http://127.0.0.1/easethink/message.php?act=      

if($_REQUEST['act'] == 'add')

{

if(!$user_info)

{

showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']);

}

if($_REQUEST['content']=='')

{

showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']);

}

if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0))

{

showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']);

}



$rel_table = $_REQUEST['rel_table'];

$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");

if(!$message_type)

{

showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']);

}



$message_group = $_REQUEST['message_group'];



//添加留言

$message['title'] = htmlspecialchars(addslashes($_REQUEST['content']));

$message['content'] = htmlspecialchars(addslashes($_REQUEST['content']));

if($message_group)

{

$message['title']="[".$message_group."]:".$message['title'];

$message['content']="[".$message_group."]:".$message['content'];

}



$message['create_time'] = get_gmtime();

$message['rel_table'] = $rel_table;

$message['rel_id'] = $_REQUEST['rel_id'];

$message['user_id'] = intval($GLOBALS['user_info']['id']);

$message['city_id'] = $deal_city['id'];

if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0)

{

$message_effect = 0;

}

else

{

$message_effect = $message_type['is_effect'];

}

$message['is_effect'] = $message_effect;



$GLOBALS['db']->autoExecute(DB_PREFIX."message",$message);

showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']);



}

else

{

$rel_table = $_REQUEST['act'];

$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");

 

参数act 未做过滤导致直接带入 数据库查询。导致注入。

易想团购开源版#sql注入两个 – 网站安全 – 自学插图

http://127.0.0.1/easethink/link.php?act=go&city=fujian&url=   

if($_REQUEST['act']=='go')

{

$url = ($_REQUEST['url']);

$link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1");

if($link_item)

{

if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id']))

$GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']);

$url = "http://".$url;

}

else

{

$url = APP_ROOT."/";

}

app_redirect($url);

}

 

url参数未做过滤直接带入数据库 导致sql注入  
易想团购开源版#sql注入两个 – 网站安全 – 自学插图1 修复方案: 过滤

    上一篇: ECSHOP后台getshell - 网站安全 - 自学php

    下一篇: PHP网站常见安全漏洞和防范措施总结 - 网站安全
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《易想团购开源版#sql注入两个 – 网站安全 – 自学
   

还没有人抢沙发呢~