- A+
所属分类:Seay信息安全博客
显示不全请点击全屏阅读
刚打开,就发现自己的号码被列入黑名单了,速度回帖子,那个紧张呢, 速度找了个系统看看,好吧,我承认我就看了下, 数组未过滤直接提交给查询语句,漏洞问在userModule.class.php文件
贴代码看下。
public function stepsave(){
if(intval($GLOBALS['user_info']['id'])==0)
{
es_session::set('before_login',$_SERVER['REQUEST_URI']);
app_redirect(url("shop","user#login"));
}
$user_id=intval($GLOBALS['user_info']['id']);
$focus_list = explode(",",$_REQUEST['user_ids']); //危险呢。
foreach($focus_list as $k=>$focus_uid)
{
//echo $focus_uid;
//exit;
if(intval($focus_uid) > 0){ //仅仅检测了下。。。
$focus_data = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."user_focus where focus_user_id = ".$user_id." and focused_user_id = ".intval($focus_uid));
if(!$focus_data)
{
$focused_user_name = $GLOBALS['db']->getOne("select user_name from ".DB_PREFIX."user where id = ".$focus_uid); //进来了。
$focus_data = array();
$focus_data['focus_user_id'] = $user_id;
$focus_data['focused_user_id'] = $focus_uid;
$focus_data['focus_user_name'] = $GLOBALS['user_info']['user_name'];
$focus_data['focused_user_name'] = $focused_user_name;
$GLOBALS['db']->autoExecute(DB_PREFIX."user_focus",$focus_data,"INSERT");
$GLOBALS['db']->query("update ".DB_PREFIX."user set focus_count = focus_count + 1 where id = ".$user_id);
$GLOBALS['db']->query("update ".DB_PREFIX."user set focused_count = focused_count + 1 where id = ".$focus_uid);
}
}
}
showSuccess($GLOBALS['lang']['REGISTER_SUCCESS'],0,url("shop","uc_center"));
}
大家都看到了,是intval检测了下,结果是,,,直接带入了,,,我什么也不说了,,,试试吓一跳,我赶紧走了!
exp很简单了,我就不写了,国际性问题
作者:xiaoxiaoabc
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱
也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
