### 简要描述: 过滤不严。无需单引号。同一文件。 ### 详细说明: 在inc/user/alipay/alipayapi.php中 ``` $out_trade_no = $_POST['WIDout_trade_no'];//可控 //商户网站订单系统中唯一订单号,必填 //订单名称 $subject = $_POST['WIDsubject']; //必填 //付款金额 $price = $_POST['WIDprice']; //必填 //商品数量 $quantity = "1"; //必填,建议默认为1,不改变值,把一次交易看成是一次下订单而非购买一件商品 //物流费用 $logistics_fee = "0.00"; //必填,即运费 //物流类型 $logistics_type = "EXPRESS"; //必填,三个值可选:EXPRESS(快递)、POST(平邮)、EMS(EMS) //物流支付方式 $logistics_payment = "SELLER_PAY"; //必填,两个值可选:SELLER_PAY(卖家承担运费)、BUYER_PAY(买家承担运费) //订单描述 $body = $_POST['WIDbody']; //商品展示地址 $show_url = $_POST['WIDshow_url']; //需以http://开头的完整路径,如:http://www.xxx.com/myorder.html //收货人姓名 $receive_name = $_POST['WIDreceive_name']; //如:张三 //收货人地址 $receive_address = $_POST['WIDreceive_address']; //如:XX省XXX市XXX区XXX路XXX小区XXX栋XXX单元XXX号 //收货人邮编 $receive_zip = $_POST['WIDreceive_zip']; //如:123456 //收货人电话号码 $receive_phone = $_POST['WIDreceive_phone']; //如:0571-88158090 //收货人手机号码 $receive_mobile = $_POST['WIDreceive_mobile']; //如:13312341234...
### 简要描述: 过滤不严。无需单引号。同一文件。 ### 详细说明: 在inc/user/alipay/alipayapi.php中 ``` $out_trade_no = $_POST['WIDout_trade_no'];//可控 //商户网站订单系统中唯一订单号,必填 //订单名称 $subject = $_POST['WIDsubject']; //必填 //付款金额 $price = $_POST['WIDprice']; //必填 //商品数量 $quantity = "1"; //必填,建议默认为1,不改变值,把一次交易看成是一次下订单而非购买一件商品 //物流费用 $logistics_fee = "0.00"; //必填,即运费 //物流类型 $logistics_type = "EXPRESS"; //必填,三个值可选:EXPRESS(快递)、POST(平邮)、EMS(EMS) //物流支付方式 $logistics_payment = "SELLER_PAY"; //必填,两个值可选:SELLER_PAY(卖家承担运费)、BUYER_PAY(买家承担运费) //订单描述 $body = $_POST['WIDbody']; //商品展示地址 $show_url = $_POST['WIDshow_url']; //需以http://开头的完整路径,如:http://www.xxx.com/myorder.html //收货人姓名 $receive_name = $_POST['WIDreceive_name']; //如:张三 //收货人地址 $receive_address = $_POST['WIDreceive_address']; //如:XX省XXX市XXX区XXX路XXX小区XXX栋XXX单元XXX号 //收货人邮编 $receive_zip = $_POST['WIDreceive_zip']; //如:123456 //收货人电话号码 $receive_phone = $_POST['WIDreceive_phone']; //如:0571-88158090 //收货人手机号码 $receive_mobile = $_POST['WIDreceive_mobile']; //如:13312341234 /************************************************************/ //构造要请求的参数数组,无需改动 $parameter = array( "service" => "trade_create_by_buyer", "partner" => trim($alipay_config['partner']), "payment_type"=> $payment_type, "notify_url"=> $notify_url, "return_url"=> $return_url, "seller_email"=> $alipay_config['no'], "out_trade_no"=> $out_trade_no, "subject"=> $subject, "price"=> $price, "quantity"=> $quantity, "logistics_fee"=> $logistics_fee, "logistics_type"=> $logistics_type, "logistics_payment"=> $logistics_payment, "body"=> $body, "show_url"=> $show_url, "receive_name"=> $receive_name, "receive_address"=> $receive_address, "receive_zip"=> $receive_zip, "receive_phone"=> $receive_phone, "receive_mobile"=> $receive_mobile, "_input_charset"=> trim(strtolower($alipay_config['input_charset'])) ); $db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']); $sql = 'select count(*) from {pre}user_pay where p_order='.$out_trade_no; $num = $db->getOne($sql); if($num>0){ showErr('System',"订单号错误无法提交数据"); } else{ $db->Add('{pre}user_pay',array('p_uid','p_order','p_price','p_point','p_time'),array($_SESSION["userid"],$out_trade_no,$price,$price*$MAC['pay']['app']['exc'],time())); } ``` 可以看到 直接带入了下面的这两个查询当中 其中一个语句还不需要单引号 所以就不需要考虑gpc了。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201403/15224801ead5f57d78ba92a658382d548ee43e45.jpg" alt="19.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15224801ead5f57d78ba92a658382d548ee43e45.jpg) [<img src="https://images.seebug.org/upload/201403/15224812a1628b2fba99cd4ad9a7ed7f93feaba4.jpg" alt="20.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15224812a1628b2fba99cd4ad9a7ed7f93feaba4.jpg) 剩下的就能直接注入了。
