Ecmall SQL注射之一

缺陷文件:/app/coupon.app.php [php] function extend() { $coupon_id = isset($_GET['id']) ? trim($_GET['id']) : ''; if (empty($coupon_id)) { echo Lang::get('no_coupon'); exit; } if (!IS_POST) { header("Content-Type:text/html;charset=" . CHARSET); $this->assign('id', $coupon_id); $this->assign('send_model', Lang::get('send_model')); $this->display("coupon_extend.html"); } else { if (empty($_POST['user_name'])) { $this->pop_warning("involid_data"); exit; } $user_name = str_replace(array("\r","\r\n"), "\n", trim($_POST['user_name'])); $user_name = explode("\n", $user_name); $user_mod =&m ('member'); $users = $user_mod->find(db_create_in($user_name, 'user_name')); if (empty($users)) { $this->pop_warning('involid_data'); exit; } if (count($users) > 30) { $this->pop_warning("amount_gt"); exit; } else { $users = $this->assign_user($coupon_id, $users); $store = $this->_store_mod->get_info($this->_store_id); $coupon = $this->_coupon_mod->get_info($coupon_id); $coupon['store_name'] = $store['store_name']; $coupon['store_id'] = $this->_store_id; $this->_message_to_user($users, $coupon); $this->_mail_to_user($users, $coupon); $this->pop_warning("ok","coupon_extend"); } } } [/php] 首先是coupon_id只过滤了空格,随后在else语句里进入了get_info函数: [php] function get_info($id) { $goods = $this->get(array( 'conditions' => "goods_id = '$id'", 'join' => 'belongs_to_store', 'fields' => 'this.*, store.state' )); ... 省略[/php] 读过代码的就知道了,其实上面的conditions之类的都是拼接成SQL语句最终要进入数据库的。 所以注射产生 exp: [php] POST index.php?app=coupon&act=extend&id=1[exp] data:user_name=test(当前已经登录的用户名) [/php] 6

发表评论