缺陷文件:/app/coupon.app.php
[php]
function extend()
{
$coupon_id = isset($_GET['id']) ? trim($_GET['id']) : '';
if (empty($coupon_id))
{
echo Lang::get('no_coupon');
exit;
}
if (!IS_POST)
{
header("Content-Type:text/html;charset=" . CHARSET);
$this->assign('id', $coupon_id);
$this->assign('send_model', Lang::get('send_model'));
$this->display("coupon_extend.html");
}
else
{
if (empty($_POST['user_name']))
{
$this->pop_warning("involid_data");
exit;
}
$user_name = str_replace(array("/r","/r/n"), "/n", trim($_POST['user_name']));
$user_name = explode("/n", $user_name);
$user_mod =&m ('member');
$users = $user_mod->find(db_create_in($user_name, 'user_name'));
if (empty($users))
{
$this->pop_warning('involid_data');
exit;
}
if (count($users) > 30)
{
$this->pop_warning("amount_gt");
exit;
}
else
{
$users = $this->assign_user($coupon_id, $users);
$store = $this->_store_mod->get_info($this->_store_id);
$coupon = $this->_coupon_mod->get_info($coupon_id);
$coupon['store_name'] = $store['store_name'];
$coupon['store_id'] = $this->_store_id;
$this->_message_to_user($users, $coupon);
$this->_mail_to_user($users, $coupon);
$this->pop_warning("ok","coupon_extend");
}
}
}
[/php]
首先是coupon_id只过滤了空格,随后在else语句里进入了get_info函数:
[php]
function get_info($id)
{
$goods = $this->get(array(
'conditions' => "goods_id = '$id'",
'join' => 'belongs_to_store',
'fields' => 'this.*, store.state'
));
... 省略[/php]
读过代码的就知道了,其实上面的conditions之类的都是拼接成SQL语句最终要进入数据库的。
所以注射产生
exp:
[php]
POST index.php?app=coupon&act=extend&id=1[exp]
data:user_name=test(当前已经登录的用户名)
[/php]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论