网站地图    收藏   

主页 > 后端 > 网站安全 >

易想团购开源版#sql注入两个 - 网站安全 - 自学

来源:自学PHP网    时间:2015-04-16 23:15 作者: 阅读:

[导读] http: 127 0 0 1 easethink message php?act=if($_REQUEST[ 39;act 39;] == 39;add 39;){if(!$user_info){showErr($GLOBALS[ 39;lang 39;][ 39;PLEASE_LOGIN_FIRST 39;]);}if($_REQUEST[ 39;conten...

http://127.0.0.1/easethink/message.php?act= 
 
 
if($_REQUEST['act'] == 'add')

{

if(!$user_info)

{

showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']);

}

if($_REQUEST['content']=='')

{

showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']);

}

if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0))

{

showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']);

}



$rel_table = $_REQUEST['rel_table'];

$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");

if(!$message_type)

{

showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']);

}



$message_group = $_REQUEST['message_group'];



//添加留言

$message['title'] = htmlspecialchars(addslashes($_REQUEST['content']));

$message['content'] = htmlspecialchars(addslashes($_REQUEST['content']));

if($message_group)

{

$message['title']="[".$message_group."]:".$message['title'];

$message['content']="[".$message_group."]:".$message['content'];

}



$message['create_time'] = get_gmtime();

$message['rel_table'] = $rel_table;

$message['rel_id'] = $_REQUEST['rel_id'];

$message['user_id'] = intval($GLOBALS['user_info']['id']);

$message['city_id'] = $deal_city['id'];

if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0)

{

$message_effect = 0;

}

else

{

$message_effect = $message_type['is_effect'];

}

$message['is_effect'] = $message_effect;



$GLOBALS['db']->autoExecute(DB_PREFIX."message",$message);

showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']);



}

else

{

$rel_table = $_REQUEST['act'];

$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");

 

参数act 未做过滤导致直接带入数据库查询。导致注入。



http://127.0.0.1/easethink/link.php?act=go&city=fujian&url=
 
if($_REQUEST['act']=='go')

{

$url = ($_REQUEST['url']);

$link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1");

if($link_item)

{

if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id']))

$GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']);

$url = "http://".$url;

}

else

{

$url = APP_ROOT."/";

}

app_redirect($url);

}

 

url参数未做过滤直接带入数据库 导致sql注入
 

修复方案:
过滤

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论