phpshe某处SQL注入漏洞

2014-05-08T00:00:00
ID SSV:94715
Type seebug
Reporter Root
Modified 2014-05-08T00:00:00

Description

简要描述:

phpshe 注入漏洞

详细说明:

/module/index/product.php case 'list': $category_id = intval($id); $info = $db->pe_select('category', array('category_id'=>$category_id)); //搜索 $sqlwhere = " and `product_state` = 1"; pe_lead('hook/category.hook.php'); if ($category_id) { $sqlwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'"; } $_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; if ($_g_orderby) { $orderby = explode('_', $_g_orderby); $sqlwhere .= " order by `product_{$orderby[0]}` //把get参数分割_之后带入查询~{$orderby[1]}"; } else { $sqlwhere .= " order by `product_id` desc"; } $info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page)); //热卖排行

漏洞证明:

测试方法 http://127.0.0.1/phpshe/index.php?mod=product&act=list&orderby=a%27_b

<img src="https://images.seebug.org/upload/201405/08180630ee009a398988b71ddba16281d5a275e9.png" alt="QQ截图20140506184802.png" width="600" onerror="javascript:errimg(this);">