TinyShop sql注入#3( 可无限充值)

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: rt ### 详细说明: 我们看到 /protected/controllers/ucenter.php ``` public function info_save() { $name = Filter::sql(Req::args("name")); $id = $this->user['id']; $this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update(); $this->model->table("customer")->where("user_id=$id")->update(); $obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find(); $this->safebox->set('user',$obj,$this->cookie_time); $this->redirect("info"); } ``` 看到这行代码 ``` $this->model->table("customer")->where("user_id=$id")->update(); ``` 继续跟到 updata() ``` public function update() { $sql = $this->sql; if(!is_array($sql['data']) || count($sql['data'])<1) { $sql['data'] = Req::post(); } $set = ''; foreach($sql['data'] as $key => $val) { if(is_string($key) && $key != $this->primary_key && isset($this->fields[$key])) { if(is_string($key)) { $value = $val; if(is_null($val)){ $value =...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息