### 简要描述: 未过滤 ### 详细说明: 先看写入代码: /var/www/html/thinksaas/app/my/action/setting.php ``` case "citydo": $province = trim($_POST['province']); $city = trim($_POST['city']);//只过滤两处空白 //这里就直接写入数据库了 $new['my']->update('user_info',array( 'userid'=>$userid, ),array( 'province'=>$province, 'city'=>$city, )); tsNotice("常居地更新成功!"); break; ``` Update: ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "`{$key}` = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //只做了转义 //$vals [] = "`$key` = $value"; $vals [] = "{$key} = {$value}"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return...
### 简要描述: 未过滤 ### 详细说明: 先看写入代码: /var/www/html/thinksaas/app/my/action/setting.php ``` case "citydo": $province = trim($_POST['province']); $city = trim($_POST['city']);//只过滤两处空白 //这里就直接写入数据库了 $new['my']->update('user_info',array( 'userid'=>$userid, ),array( 'province'=>$province, 'city'=>$city, )); tsNotice("常居地更新成功!"); break; ``` Update: ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "`{$key}` = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //只做了转义 //$vals [] = "`$key` = $value"; $vals [] = "{$key} = {$value}"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 再来看取出: /var/www/html/thinksaas/app/user/class.user.php ``` //获取一个用户的信息 function getOneUser($userid){ $strUser = $this->find('user_info',array( 'userid'=>$userid, )); if($strUser){ $strUser['username'] = tsTitle($strUser['username']); if($strUser['face'] && $strUser['path']){ $strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1); }elseif($strUser['face'] && $strUser['path']==''){ $strUser['face']= SITE_URL.'public/images/'.$strUser['face']; }else{ //没有头像 $strUser['face']= SITE_URL.'public/images/user_large.jpg'; } }else{ $strUser = ''; } return $strUser; //没任何过滤 } ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png" alt="thi1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png) [<img src="https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png" alt="thi2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png)
