### 简要描述: 学习中......少装不努力,老大搞IT!!! ### 详细说明: phpyun 个人会员中心 member/model/index.class.php $_COOKIE["usertype"];参数存在注入, 从下面代码中可以看到$data["usertype"] 直接读取COOKIE的值,带入到sql中, sql未对值进行过滤处理 ``` function msg_action(){ if($_GET["del"]){ $nid=$this->obj->DB_delete_all("userid_msg","`id`='".$_GET["del"]."' and `uid`='".$this->uid."'"); isset($nid)?$this->obj->ACT_msg("index.php?C=msg","删除成功"):$this->obj->ACT_msg("index.php?C=msg","删除失败"); } $this->public_action(); $urlarr=array("C"=>"msg","page"=>"{{page}}"); $pageurl=$this->url("index","index",$urlarr); $this->get_page("userid_msg","`uid`='".$this->uid."' and type!='1' order by id desc",$pageurl,"20"); if($_GET["c_uid"]){ $data["c_uid"]=$_GET["c_uid"]; $data["inputtime"]=mktime(); $data["p_uid"]=$_COOKIE["uid"]; $data["usertype"]=$_COOKIE["usertype"]; $data["com_name"]=$_GET["c_name"]; $haves=$this->obj->DB_select_once("blacklist","`p_uid`=".$data["p_uid"]." and `c_uid`=".$data["c_uid"]." and `usertype`=".$data["usertype"]."");...
### 简要描述: 学习中......少装不努力,老大搞IT!!! ### 详细说明: phpyun 个人会员中心 member/model/index.class.php $_COOKIE["usertype"];参数存在注入, 从下面代码中可以看到$data["usertype"] 直接读取COOKIE的值,带入到sql中, sql未对值进行过滤处理 ``` function msg_action(){ if($_GET["del"]){ $nid=$this->obj->DB_delete_all("userid_msg","`id`='".$_GET["del"]."' and `uid`='".$this->uid."'"); isset($nid)?$this->obj->ACT_msg("index.php?C=msg","删除成功"):$this->obj->ACT_msg("index.php?C=msg","删除失败"); } $this->public_action(); $urlarr=array("C"=>"msg","page"=>"{{page}}"); $pageurl=$this->url("index","index",$urlarr); $this->get_page("userid_msg","`uid`='".$this->uid."' and type!='1' order by id desc",$pageurl,"20"); if($_GET["c_uid"]){ $data["c_uid"]=$_GET["c_uid"]; $data["inputtime"]=mktime(); $data["p_uid"]=$_COOKIE["uid"]; $data["usertype"]=$_COOKIE["usertype"]; $data["com_name"]=$_GET["c_name"]; $haves=$this->obj->DB_select_once("blacklist","`p_uid`=".$data["p_uid"]." and `c_uid`=".$data["c_uid"]." and `usertype`=".$data["usertype"].""); if(is_array($haves)){ $this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"该用户已在您黑名单中"); }else{ $nid=$this->obj->insert_into("blacklist",$data); $this->obj->DB_delete_all("userid_msg","`uid`=".$data["p_uid"]." and `fid`=".$data["c_uid"].""," "); $nid?$this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"操作成功"):$this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"操作失败"); } } ``` ``` function DB_select_once($tablename, $where = 1, $select = "*") { $cachename=$tablename.$where; if(!$return=$this->Memcache_set($cachename)){ $SQL = "SELECT ".$select." FROM " . $this->def . $tablename . " WHERE ".$where." limit 1"; echo $SQL; $query = $this->db->query($SQL); $return=$this->db->fetch_array($query); $this->Memcache_set($cachename,$return); } return $return; } ``` [<img src="https://images.seebug.org/upload/201404/25084311c1c8f2da7df4e5e672a17db8e14d466d.png" alt="QQ截图20140425081528.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/25084311c1c8f2da7df4e5e672a17db8e14d466d.png) ### 漏洞证明:
