ECSHOP后台注入

upload/admin/agency.php
[php]
elseif ($_REQUEST['act'] == 'query')

{

$agency_list = get_agencylist(); //跟踪这个函数

$smarty->assign('agency_list', $agency_list['agency']);

$smarty->assign('filter', $agency_list['filter']);

$smarty->assign('record_count', $agency_list['record_count']);

$smarty->assign('page_count', $agency_list['page_count']);

/* 排序标记 */

$sort_flag = sort_flag($agency_list['filter']);

$smarty->assign($sort_flag['tag'], $sort_flag['img']);

make_json_result($smarty->fetch('agency_list.htm'), '',

array('filter' => $agency_list['filter'], 'page_count' => $agency_list['page_count']));

}[/php]
get_agencylist()函数代码如下
[php]
function get_agencylist()

{

$result = get_filter();//当$result为false时才能够实现。

if ($result === false)

{

/* 初始化分页参数 */

$filter = array();

$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//未过滤

$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);//未过滤

/* 查询记录总数,计算分页数 */

$sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency');

$filter['record_count'] = $GLOBALS['db']->getOne($sql);

$filter = page_and_size($filter);

/* 查询记录 */

$sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]";//代入查询。

set_filter($filter, $sql);

}

else

{

$sql = $result['sql'];

$filter = $result['filter'];

}

$res = $GLOBALS['db']->selectLimit($sql, $filter['page_size'], $filter['start']);//带入查询函数

$arr = array();

while ($rows = $GLOBALS['db']->fetchRow($res))

{

$arr[] = $rows;

}

return array('agency' => $arr, 'filter' => $filter, 'page_count' => $filter['page_count'], 'record_count' => $filter['record_count']);

}
[/php]
get_filter()代码如下//传参是为空所以返回false
[php]
function get_filter($param_str = '')

{

$filterfile = basename(PHP_SELF, '.php');

if ($param_str)

{

$filterfile .= $param_str;

}

if (isset($_GET['uselastfilter']) && isset($_COOKIE['ECSCP']['lastfilterfile'])

&& $_COOKIE['ECSCP']['lastfilterfile'] == sprintf('%X', crc32($filterfile)))

{

return array(

'filter' => unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])),

'sql' => base64_decode($_COOKIE['ECSCP']['lastfiltersql'])

);

}

else

{

return false;

}

}
[/php]
ecshopsql

1 条评论

  1. flow

    后台漏洞都没人重视

发表评论