Ecmall SQL注射之一

缺陷文件:/app/coupon.app.php
[php]
function extend()

{

$coupon_id = isset($_GET['id']) ? trim($_GET['id']) : '';

if (empty($coupon_id))

{

echo Lang::get('no_coupon');

exit;

}

if (!IS_POST)

{

header("Content-Type:text/html;charset=" . CHARSET);

$this->assign('id', $coupon_id);

$this->assign('send_model', Lang::get('send_model'));

$this->display("coupon_extend.html");

}

else

{

if (empty($_POST['user_name']))

{

$this->pop_warning("involid_data");

exit;

}

$user_name = str_replace(array("\r","\r\n"), "\n", trim($_POST['user_name']));

$user_name = explode("\n", $user_name);

$user_mod =&m ('member');

$users = $user_mod->find(db_create_in($user_name, 'user_name'));

if (empty($users))

{

$this->pop_warning('involid_data');

exit;

}

if (count($users) > 30)

{

$this->pop_warning("amount_gt");

exit;

}

else

{

$users = $this->assign_user($coupon_id, $users);

$store = $this->_store_mod->get_info($this->_store_id);

$coupon = $this->_coupon_mod->get_info($coupon_id);

$coupon['store_name'] = $store['store_name'];

$coupon['store_id'] = $this->_store_id;

$this->_message_to_user($users, $coupon);

$this->_mail_to_user($users, $coupon);

$this->pop_warning("ok","coupon_extend");

}

}

}
[/php]
首先是coupon_id只过滤了空格,随后在else语句里进入了get_info函数:
[php]
function get_info($id)

{

$goods = $this->get(array(

'conditions' => "goods_id = '$id'",

'join' => 'belongs_to_store',

'fields' => 'this.*, store.state'

));

... 省略[/php]
读过代码的就知道了,其实上面的conditions之类的都是拼接成SQL语句最终要进入数据库的。

所以注射产生
exp:
[php]
POST index.php?app=coupon&act=extend&id=1[exp]

data:user_name=test(当前已经登录的用户名)
[/php]
6

发表评论