Stcms sql injection and fix-vulnerability warning-the black bar safety net

2012-08-26T00:00:00
ID MYHACK58:62201234711
Type myhack58
Reporter 佚名
Modified 2012-08-26T00:00:00

Description

Any sql statement is executed

case 'list':

$totalNum = $mysql->numTable("member", $where);

$pageNum = 2 0;

$totalPage = intval($totalNum/$pageNum) == $totalNum/$pageNum ? $totalNum/$pageNum : intval($totalNum/$pageNum)+1;

$page = $page ? $page : 1;

$page = $page>$totalPage ? $totalPage : $page;

$page = $page<1 ? 1 : $page;

$members = $mysql->select("member","id,name,time,money,provience,city,picture",$where,array("id DESC"),array(($page-1)*$pageNum,$pageNum)); www.myhack58.com

require(INCLUDE_PATH."page.class.php");

$pageClass = new page($page,$totalNum,$pageNum, WEB_URL."member/u. php? action=list", true);

$pageCode = $pageClass->getCode();

$smarty->assign("webTitle","membership list");

$smarty->assign("uList", $members);

$smarty->assign("pageCode", $pageCode);

$smarty->display("member/m_u_list.html");

function numTable($table=",$wheres=false)

{

$table = $this->dbPrefix.$ table;

$sql = "SELECT COUNT(*) AS num FROM $table";

if($wheres)

{

$sql .= "WHERE ";

if(is_array($wheres))

{

foreach($wheres as $key => $val)

{

$whr[] = "$key='".$ val."'";

}

$sql .= implode(" AND ",$whr);

}

elseif(is_string($wheres))

{

$sql .= $wheres;

}

}

$result = $this->fetch($this->query($sql));

return $result['num'];

}

Where no initialization leads to execute arbitrary sql statements

Test:

http://www.xxxxx.com/stcms_html/member/u.php?action=list&where={sql}

Solution: you know.