### 简要描述: 过滤不严。 ### 详细说明: 在action/users/user_info.action.php中 ``` $user_id =get_sess_userid(); $model = short_check(get_argg('model')); $birth_year = short_check(get_argp('birth_year')); $birth_month = short_check(get_argp('birth_month')); $birth_day = short_check(get_argp('birth_day')); $reside_city = short_check(get_argp('reside_city')); $reside_province = short_check(get_argp('reside_province')); $birth_city = short_check(get_argp('birth_city')); $birth_province = short_check(get_argp('birth_province')); $is_finish=intval(get_argg('is_finish')); $info = get_argp('info'); ``` 可以看到$info 没有经过short_check的过滤。 看看后面的。 ``` if(!empty($info)){ foreach($info as $key => $value){ if($value!==''){ $key=explode('|',$key); $sql="insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'".$key[0]."','$value')"; echo $sql; $dbo -> exeUpdate($sql); } } } ``` foreach出来 就带入了insert中 我把语句输出来一下把。 ### 漏洞证明: [<img...
### 简要描述: 过滤不严。 ### 详细说明: 在action/users/user_info.action.php中 ``` $user_id =get_sess_userid(); $model = short_check(get_argg('model')); $birth_year = short_check(get_argp('birth_year')); $birth_month = short_check(get_argp('birth_month')); $birth_day = short_check(get_argp('birth_day')); $reside_city = short_check(get_argp('reside_city')); $reside_province = short_check(get_argp('reside_province')); $birth_city = short_check(get_argp('birth_city')); $birth_province = short_check(get_argp('birth_province')); $is_finish=intval(get_argg('is_finish')); $info = get_argp('info'); ``` 可以看到$info 没有经过short_check的过滤。 看看后面的。 ``` if(!empty($info)){ foreach($info as $key => $value){ if($value!==''){ $key=explode('|',$key); $sql="insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'".$key[0]."','$value')"; echo $sql; $dbo -> exeUpdate($sql); } } } ``` foreach出来 就带入了insert中 我把语句输出来一下把。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/1013585052987f9f367689b9e0ad9702886285d4.jpg" alt="i2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1013585052987f9f367689b9e0ad9702886285d4.jpg) [<img src="https://images.seebug.org/upload/201405/10135911259992b7b2191297dc6c2d8033d193f9.jpg" alt="i3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10135911259992b7b2191297dc6c2d8033d193f9.jpg)
