### 简要描述: Sql Injection ### 详细说明: 注入在XDCMS企业管理系统后台的菜单管理处,\system\modules\xdcms\menu.php文件: 用户在添加或者管理菜单时会调用addsave()和editsave()函数,9个注入点就出现在这两个函数里 addsave()函数: ``` public function add_save(){ $title=$_POST['title'];//注入点1 $sort=intval($_POST['sort']); $is_show=$_POST['is_show'];//注入点2 $groupid=$_POST['groupid'];//注入点3 $url=$_POST['url'];//注入点4 $parentid=isset($_POST['parentid'])?intval($_POST['parentid']):0; if(empty($title)){ showmsg(C('material_not_complete'),'-1'); } if(is_array($groupid)){ $group_str=implode(',',$groupid); } $sql="insert into ".DB_PRE."menu (title,url,parentid,sort,is_show,groupid) values ('".$title."','".$url."','".$parentid."','".$sort."','".$is_show."','".$group_str."')"; $this->mysql->query($sql); $this->menu_cache(); showmsg(C('add_success'),'-1'); } ``` edit_save(): ``` public function edit_save(){ $menuid=intval($_POST['menuid']); $title=$_POST['title'];//注入点5 $sort=intval($_POST['sort']); $is_show=$_POST['is_show'];//注入点6 $groupid=$_POST['groupid'];//注入点7...
### 简要描述: Sql Injection ### 详细说明: 注入在XDCMS企业管理系统后台的菜单管理处,\system\modules\xdcms\menu.php文件: 用户在添加或者管理菜单时会调用addsave()和editsave()函数,9个注入点就出现在这两个函数里 addsave()函数: ``` public function add_save(){ $title=$_POST['title'];//注入点1 $sort=intval($_POST['sort']); $is_show=$_POST['is_show'];//注入点2 $groupid=$_POST['groupid'];//注入点3 $url=$_POST['url'];//注入点4 $parentid=isset($_POST['parentid'])?intval($_POST['parentid']):0; if(empty($title)){ showmsg(C('material_not_complete'),'-1'); } if(is_array($groupid)){ $group_str=implode(',',$groupid); } $sql="insert into ".DB_PRE."menu (title,url,parentid,sort,is_show,groupid) values ('".$title."','".$url."','".$parentid."','".$sort."','".$is_show."','".$group_str."')"; $this->mysql->query($sql); $this->menu_cache(); showmsg(C('add_success'),'-1'); } ``` edit_save(): ``` public function edit_save(){ $menuid=intval($_POST['menuid']); $title=$_POST['title'];//注入点5 $sort=intval($_POST['sort']); $is_show=$_POST['is_show'];//注入点6 $groupid=$_POST['groupid'];//注入点7 $url=$_POST['url'];//注入点8 $parentid=isset($_POST['parentid'])?intval($_POST['parentid']):0; if(empty($menuid)||empty($title)){ showmsg(C('material_not_complete'),'-1'); } if(is_array($groupid)){ $group_str=implode(',',$groupid); } $this->mysql->db_update("menu","`title`='".$title."',`url`='".$url."',`sort`='".$sort."',`is_show`='".$is_show."',`groupid`='".$group_str."',`parentid`='".$parentid."'","`menuid`=".$menuid); $this->menu_cache(); showmsg(C('update_success'),'index.php?m=xdcms&c=menu'); } ``` sort_save(): ``` public function sort_save(){ $menuid=$_POST['menuid'];//注入点9 foreach($menuid as $val){ $sort=$_POST["sort{$val}"]; if(is_numeric($sort)){ $this->mysql->db_update("menu","`sort`='".$sort."'","`menuid`=".$val); } } $this->menu_cache(); showmsg(C('update_success'),'index.php?m=xdcms&c=menu'); } ``` ### 漏洞证明: 添加菜单: [<img src="https://images.seebug.org/upload/201402/222151106fd732676e303dacb5289d31f85e325e.jpg" alt="menu.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/222151106fd732676e303dacb5289d31f85e325e.jpg) 加exp: [<img src="https://images.seebug.org/upload/201402/2221512887588c6822bcc714c3a4916abe79b072.jpg" alt="menu1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2221512887588c6822bcc714c3a4916abe79b072.jpg) 成功注入: [<img src="https://images.seebug.org/upload/201402/22215143f2ccdab13b4bc385a811640c970b2f61.jpg" alt="menu2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/22215143f2ccdab13b4bc385a811640c970b2f61.jpg)
