Ecshop存在诸多SQL注射漏洞–flow.php

文章目录

from:http://www.wooyun.org/bugs/wooyun-2012-011066

详细说明:

flow.php

$sql = “SELECT g.goods_name, g.goods_number “.
“FROM ” .$GLOBALS[‘ecs’]->table(‘goods’). ” AS g, “.
$GLOBALS[‘ecs’]->table(‘cart’). ” AS c “.
“WHERE g.goods_id = c.goods_id AND c.rec_id = ‘$key'”;
$row = $GLOBALS[‘db’]->getRow($sql);
//查询:系统启用了库存,检查输入的商品数量是否有效
if (intval($GLOBALS[‘_CFG’][‘use_storage’]) > 0 && $goods[‘extension_code’] != ‘package_buy’)
{
if ($row[‘goods_number’] < $val)
{
show_message(sprintf($GLOBALS[‘_LANG’][‘stock_insufficiency’], $row[‘goods_name’],
$row[‘goods_number’], $row[‘goods_number’]));
exit;
}
/* 是货品 */
$goods[‘product_id’] = trim($goods[‘product_id’]);
if (!empty($goods[‘product_id’]))
{[/crayon]
仅仅全局对数组的值有处理但是没有对key处理造成漏洞

有个坑爹吐血的事情~

原来小明同学10年已经叼了这洞了

http://www.myhack58.com/Article/html/3/62/2010/26956.htm

原文链接:,转发请注明来源!

发表评论

要发表评论,您必须先登录