程式舞曲SQL注入

程式舞曲被操了无数次都不知道它是如何坚挺下来的,代码风还是那么弱爆了。

漏洞文件:/app/controllers/user/music.php

$music['cs_name']=strip_tags($this->input->post('cs_name', TRUE));   //名称
               $music['cs_cid']=intval($this->input->post('cs_cid', TRUE));   //分类
               $music['cs_tid']=intval($this->input->post('cs_tid', TRUE));   //专集
               $music['cs_tags']=strip_tags($this->input->post('cs_tags', TRUE));   //关键词
               $music['cs_cion']=intval($this->input->post('cs_cion', TRUE));   //金币
               $music['cs_singerid']=intval($this->input->post('cs_singerid', TRUE));   //歌手
               $music['cs_singer']=trim($this->CsdjSkins->uhtml($this->input->post('cs_singer', TRUE)));   //歌手
               $music['cs_content']=$this->CsdjSkins->uhtml($this->input->post('cs_content'));   //歌词/介绍
               $music['cs_playurl']=$this->CsdjSkins->str_checkhtml($this->input->post('cs_playurl', TRUE));   //播放地址
               $music['cs_dx']=$this->CsdjSkins->str_checkhtml($this->input->post('cs_dx', TRUE));   //歌曲大小
               $music['cs_yz']=$this->CsdjSkins->str_checkhtml($this->input->post('cs_yz', TRUE));   //歌曲音质
               $music['cs_sc']=$this->CsdjSkins->str_checkhtml($this->input->post('cs_sc', TRUE));   //歌曲时长
               $music['cs_pic']=$this->CsdjSkins->str_checkhtml($this->input->post('cs_pic', TRUE));   //歌曲图片
               //token check
               $token=$this->input->post('token', TRUE);
               if(!isset($_SESSION['token']) || $token!=$_SESSION['token'])  $this->CsdjSkins->Msg_url('非法提交数据!','javascript:history.back();'); 
 
               if(empty($music['cs_name']))  $this->CsdjSkins->Msg_url('歌曲名称不能为空!','javascript:history.back();'); 
               if(empty($music['cs_cid']) || $music['cs_cid']==0)  $this->CsdjSkins->Msg_url('请选择歌曲分类!','javascript:history.back();'); 
               if(empty($music['cs_playurl']))  $this->CsdjSkins->Msg_url('请选上传歌曲!','javascript:history.back();'); 
 
 
               if($music['cs_singerid']>0){ //判断歌手
                   $sql="SELECT CS_Name FROM ".CS_SqlPrefix."singer where cs_id=".$music['cs_singerid']."";
                   $row=$this->CsdjDB->get_all($sql); 
                   if(!$row){
                           $music['cs_singerid']=0;
                   }else{
                           $music['cs_singer']=$row[0]->CS_Name;
                   }
               }else{ //自定义歌手
                   $sql="SELECT CS_ID FROM ".CS_SqlPrefix."singer where cs_name='".$music['cs_singer']."'";
                   $row=$this->CsdjDB->get_all($sql);

前面的post获取就不用看了,就针对XSS过滤了一下,然后我们往下面看也没用过什么过滤,就走了一些判断什么的,然后在最后的$music['cs_singerid']>0,无论大于还是不大于都会导致注入的产生

function get_all ($sql)  //多条件查询
 {
   $query=$this->db->query($sql);
   return $query->result();
 }

shell

sql

发表评论