来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] cmseasy某处sql注入,无视防御从 celive live index php开始:include( 39; include config inc php 39;);include_once(CE_ROOT 39; include celive class php 39;);$ac = addslashes($_GET[ 39;a...
cmseasy某处sql注入,无视防御 从/celive/live/index.php开始:
include('../include/config.inc.php'); include_once(CE_ROOT . '/include/celive.class.php'); $ac = addslashes($_GET['action']); if ($ac == '1') { $live = new celive(); $live->template(); $live->xajax_live(); ... ... ... ... ... ...
function xajax_live() { if (!$this->xajax_live_flag) { $this->xajax_live_flag=true; include_once(dirname(__FILE__).'/xajax.inc.php'); include_once(dirname(__FILE__).'/xajax.class.php'); global $xajax_live; $xajax_live=new xajax(); $xajax_live->setCharEncoding('utf-8'); $xajax_live->decodeUTF8InputOn(); $xajax_live->registerFunction('Request'); $xajax_live->registerFunction('Postdata'); $xajax_live->registerFunction('ChatHistory'); $xajax_live->registerFunction('LiveMessage'); $xajax_live->registerFunction('EndChat'); $xajax_live->registerFunction('GetAdminEndChat'); $xajax_live->processRequests(); } }
function processRequests() { $requestMode = -1; $sFunctionName = ""; $bFoundFunction = true; $bFunctionIsCatchAll = false; $sFunctionNameForSpecial = ""; $aArgs = array(); $sPreResponse = ""; $bEndRequest = false; $requestMode = $this->getRequestMode(); // 如果没有参数就退出 if ($requestMode == -1) return; if ($requestMode == XAJAX_POST) { $sFunctionName = $_POST["xajax"]; if (!empty($_POST["xajaxargs"])) $aArgs = $_POST["xajaxargs"]; } else { header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); $sFunctionName = $_GET["xajax"]; if (!empty($_GET["xajaxargs"])) $aArgs = $_GET["xajaxargs"]; }
if ($bFoundFunction) { $sFunctionNameForSpecial = $sFunctionName; if (!array_key_exists($sFunctionName, $this->aFunctions)) { if ($this->sCatchAllFunction) { $sFunctionName = $this->sCatchAllFunction; $bFunctionIsCatchAll = true; } else { $bFoundFunction = false; $oResponse = new xajaxResponse(); $oResponse->addAlert("Unknown Function $sFunctionName."); } } }
if (!$bEndRequest) { if (!$this->_isFunctionCallable($sFunctionName)) { $oResponse = new xajaxResponse(); $oResponse->addAlert("The Registered Function $sFunctionName Could Not Be Found."); } else { if ($bFunctionIsCatchAll) { $aArgs = array($sFunctionNameForSpecial, $aArgs); } $oResponse = $this->_callFunction($sFunctionName, $aArgs); // 调用函数 }
function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = htmlspecialchars($a['name']); $email = htmlspecialchars($a['email']); $country = htmlspecialchars($a['country']); $phone = htmlspecialchars($a['phone']); $departmentid = htmlspecialchars($a['departmentid']); $message = htmlspecialchars($a['message']); $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; $sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')"; $db->query($sql); $sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'"; $db->query($sql); $text = "<?php echo $lang[shout_success]?>\n"; $objResponse = new xajaxResponse('utf-8'); $objResponse->addAssign('content', 'innerHTML', $text); $objResponse->redirect('../', 5); return $objResponse; }
function query($sql, $table = '', $cache = '', $arg = '') { $line = explode("\n", $sql); if (count($line) == 1) { $line[0] = $this->prefix($line[0]); if ($table == '') { $table = $this->table; } return $this->raw_query($line[0], $table, $cache, $arg); } }
修复方案:对LiveMessage中的输入进行过滤 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com