ECSHOP后台注入

upload/admin/agency.php [php] elseif ($_REQUEST['act'] == 'query') { $agency_list = get_agencylist(); //跟踪这个函数 $smarty->assign('agency_list', $agency_list['agency']); $smarty->assign('filter', $agency_list['filter']); $smarty->assign('record_count', $agency_list['record_count']); $smarty->assign('page_count', $agency_list['page_count']); /* 排序标记 */ $sort_flag = sort_flag($agency_list['filter']); $smarty->assign($sort_flag['tag'], $sort_flag['img']); make_json_result($smarty->fetch('agency_list.htm'), '', array('filter' => $agency_list['filter'], 'page_count' => $agency_list['page_count'])); }[/php] get_agencylist()函数代码如下 [php] function get_agencylist() { $result = get_filter();//当$result为false时才能够实现。 if ($result === false) { /* 初始化分页参数 */ $filter = array(); $filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//未过滤 $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);//未过滤 /* 查询记录总数,计算分页数 */ $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency'); $filter['record_count'] = $GLOBALS['db']->getOne($sql); $filter = page_and_size($filter); /* 查询记录 */ $sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]";//代入查询。 set_filter($filter, $sql); } else { $sql = $result['sql']; $filter = $result['filter']; } $res = $GLOBALS['db']->selectLimit($sql, $filter['page_size'], $filter['start']);//带入查询函数 $arr = array(); while ($rows = $GLOBALS['db']->fetchRow($res)) { $arr[] = $rows; } return array('agency' => $arr, 'filter' => $filter, 'page_count' => $filter['page_count'], 'record_count' => $filter['record_count']); } [/php] get_filter()代码如下//传参是为空所以返回false [php] function get_filter($param_str = '') { $filterfile = basename(PHP_SELF, '.php'); if ($param_str) { $filterfile .= $param_str; } if (isset($_GET['uselastfilter']) && isset($_COOKIE['ECSCP']['lastfilterfile']) && $_COOKIE['ECSCP']['lastfilterfile'] == sprintf('%X', crc32($filterfile))) { return array( 'filter' => unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])), 'sql' => base64_decode($_COOKIE['ECSCP']['lastfiltersql']) ); } else { return false; } } [/php] ecshopsql

1 条评论

  1. flow

    后台漏洞都没人重视

发表评论