Ecmall某建站模板搜索框SQL注射

http://www.tuutao.com/index.php 土淘网

用的Ecmall的建站模板,用过这个模板的应该都通杀了吧

存在搜索框注入,注入点为:

http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000

首先将获取get传来的参数,然后组合到一个sql查询语句condition中:
1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤:

[php]
/**

* 取得查询条件语句

*

* @param array $param 查询参数(参加函数_get_query_param的返回值说明)

* @return string where语句

*/

function _get_goods_conditions($param)

{

/* 组成查询条件 */

$conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态,

if (isset($param['keyword']))

{

$conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE);

}

if (isset($param['cate_id']))

{

$conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'";

}

if (isset($param['brand']))

{

$conditions .= " AND g.brand = '" . $param['brand'] . "'";

}

if (isset($param['region_id']))

{

$conditions .= " AND s.region_id = '" . $param['region_id'] . "'";

}

if (isset($param['price']))

{

$min = $param['price']['min'];

$max = $param['price']['max'];

$min > 0 && $conditions .= " AND g.price >= '$min'";

$max > 0 && $conditions .= " AND g.price <= '$max'";

}

return $conditions;

}[/php]
2.下面这部分代码是query执行部分,直接将上面的参数带入查询了:
[php]
/* 按价格统计 */

if ($total_count > NUM_PER_PAGE)

{

$sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions;

$row = $goods_mod->getRow($sql);

$min = $row['min'];

$max = min($row['max'], MAX_STAT_PRICE);

$step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP);

$sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i";

$res = $goods_mod->db->query($sql);

while ($row = $goods_mod->db->fetchRow($res))

{

$data['by_price'][] = array(

'count' => $row['count'],

'min' => $min + $row['i'] * $step,

'max' => $min + ($row['i'] + 1) * $step,

);

}

}

}
[/php]

发表评论