VULHUB ™

### 简要描述： phpshe 注入漏洞 ### 详细说明： ``` module/index/order.php case 'cartdel': $money['order_productmoney'] = $money['order_wlmoney'] = $money['order_money'] = 0; if (pe_login('user')) { $result = $db->pe_delete('cart', array ('user_id'=>$_s_user_id, 'product_id'=>$_g_product_id));//product_id参数没 过滤 直接带入语句 } else { $cart_list = unserialize($_c_cart_list); unset($cart_list[$_g_product_id]); $result = is_array($cart_list[$_g_product_id]) ? false : true; setcookie('cart_list', serialize($cart_list), 0, '/'); } $cart_info = cart_info($cart_list); echo json_encode(array('result'=>$result, 'money'=>$cart_info['money'])); break; ``` ### 漏洞证明： 测试 注册用户登录后 http://127.0.0.1/phpshe/index.php?mod=order&act=cartdel&product_id=1%27 [<img src="https://images.seebug.org/upload/201405/06184352a7592a101f2af691f47644cffb3dd5b6.png" alt="QQ截图20140506183958.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/06184352a7592a101f2af691f47644cffb3dd5b6.png)

### 简要描述： phpshe 注入漏洞 ### 详细说明： ``` module/index/order.php case 'cartdel': $money['order_productmoney'] = $money['order_wlmoney'] = $money['order_money'] = 0; if (pe_login('user')) { $result = $db->pe_delete('cart', array ('user_id'=>$_s_user_id, 'product_id'=>$_g_product_id));//product_id参数没 过滤 直接带入语句 } else { $cart_list = unserialize($_c_cart_list); unset($cart_list[$_g_product_id]); $result = is_array($cart_list[$_g_product_id]) ? false : true; setcookie('cart_list', serialize($cart_list), 0, '/'); } $cart_info = cart_info($cart_list); echo json_encode(array('result'=>$result, 'money'=>$cart_info['money'])); break; ``` ### 漏洞证明： 测试 注册用户登录后 http://127.0.0.1/phpshe/index.php?mod=order&act=cartdel&product_id=1%27 [<img src="https://images.seebug.org/upload/201405/06184352a7592a101f2af691f47644cffb3dd5b6.png" alt="QQ截图20140506183958.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/06184352a7592a101f2af691f47644cffb3dd5b6.png)