来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] ECSHOP 后台注入漏洞 刚挖的 热乎的。。之前分次提交是因为 一边挖一边提交的admin favourable phpif ($_REQUEST[ 39;act 39;] == 39;list 39;){ admin_priv( 39;favourable 39;);function...
|
ECSHOP 后台注入漏洞 刚挖的 热乎的。。之前分次提交是因为 一边挖一边提交的
admin/favourable.php
if ($_REQUEST['act'] == 'list')
{
admin_priv('favourable');
function favourable_list()
{echo 22222222222222;
$result = get_filter();
if ($result === false)
{
/* 过滤条件 */
$filter['keyword'] = empty($_REQUEST['keyword']) ? '' : trim($_REQUEST['keyword']);
if (isset($_REQUEST['is_ajax']) && $_REQUEST['is_ajax'] == 1)
{
$filter['keyword'] = json_str_iconv($filter['keyword']);
}
$filter['is_going'] = empty($_REQUEST['is_going']) ? 0 : 1;
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'act_id' : trim($_REQUEST['sort_by']);//参数没过滤
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);
$where = "";
if (!empty($filter['keyword']))
{
$where .= " AND act_name LIKE '%" . mysql_like_quote($filter['keyword']) . "%'";
}
if ($filter['is_going'])
{
$now = gmtime();
$where .= " AND start_time <= '$now' AND end_time >= '$now' ";
}
$sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('favourable_activity') .
" WHERE 1 $where";
$filter['record_count'] = $GLOBALS['db']->getOne($sql);
/* 分页大小 */
$filter = page_and_size($filter);
/* 查询 */
$sql = "SELECT * ".
"FROM " . $GLOBALS['ecs']->table('favourable_activity') .
" WHERE 1 $where ".
" ORDER BY $filter[sort_by] $filter[sort_order] ".//直接带入查询
" LIMIT ". $filter['start'] .", $filter[page_size]";
测试方法
127.0.0.1/ec/admin/favourable.php?act=query&sort_by='1&id=1
 修复方案:
你猜
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
