phpyun 个人会员中心 member/model/index.class.php $_COOKIE["usertype"];参数存在注入, 从下面代码中可以看到$data["usertype"] 直接读取COOKIE的值,带入到sql中, sql未对值进行过滤处理
function msg_action(){
if($_GET["del"]){
$nid=$this->obj->DB_delete_all("userid_msg","`id`='".$_GET["del"]."' and `uid`='".$this->uid."'");
isset($nid)?$this->obj->ACT_msg("index.php?C=msg","删除成功"):$this->obj->ACT_msg("index.php?C=msg","删除失败");
}
$this->public_action();
$urlarr=array("C"=>"msg","page"=>"{{page}}");
$pageurl=$this->url("index","index",$urlarr);
$this->get_page("userid_msg","`uid`='".$this->uid."' and type!='1' order by id desc",$pageurl,"20");
if($_GET["c_uid"]){
$data["c_uid"]=$_GET["c_uid"];
$data["inputtime"]=mktime();
$data["p_uid"]=$_COOKIE["uid"];
$data["usertype"]=$_COOKIE["usertype"];
$data["com_name"]=$_GET["c_name"];
$haves=$this->obj->DB_select_once("blacklist","`p_uid`=".$data["p_uid"]." and `c_uid`=".$data["c_uid"]." and `usertype`=".$data["usertype"]."");
if(is_array($haves)){
$this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"该用户已在您黑名单中");
}else{
$nid=$this->obj->insert_into("blacklist",$data);
$this->obj->DB_delete_all("userid_msg","`uid`=".$data["p_uid"]." and `fid`=".$data["c_uid"].""," ");
$nid?$this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"操作成功"):$this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"操作失败");
}
}
function DB_select_once($tablename, $where = 1, $select = "*") {
$cachename=$tablename.$where;
if(!$return=$this->Memcache_set($cachename)){
$SQL = "SELECT ".$select." FROM " . $this->def . $tablename . " WHERE ".$where." limit 1";
echo $SQL;
$query = $this->db->query($SQL);
$return=$this->db->fetch_array($query);
$this->Memcache_set($cachename,$return);
}
return $return;
}
|
-
上一篇: mlecms管理系统存储型xss - 网站安全 - 自学php
下一篇: 汇文软件Libsys图书馆管理系统任意文件读取及修
还没有人抢沙发呢~