### 简要描述: 多个文件SQL注入 ### 详细说明: search.php(BIWEB企业版几乎所有的该文件都存在这个问题) 举例:Product/search.php 文件24-60行(不止这一处) ``` if(!empty($_REQUEST['product_name'])){ $strKeywords = strval(urldecode(trim($_REQUEST['product_name'])));//只是进行了简单的过滤空格和url解码 $arrKeywords = explode(" ",$strKeywords);//将关键词用空格进行分割 $newArrKeywords = array(); foreach($arrKeywords as $val){ if(trim($val)!=""){ $newArrKeywords[] = $val; //不为空则赋值 } } if(count($newArrKeywords)>1){//为数组时的逻辑处理 foreach($newArrKeywords as $key=>$val){ $arrWhere[] = "`title` LIKE '%$val%' OR `summary` LIKE '%$val%' OR `intro` LIKE '%$val%'";//这里进行了SQL语句的拼接,变量val可控 if($key!=0){ $strKeyword .= " , ".$val; }else{ $strKeyword .= $val; } } }else{ $arrWhere[] = "`title` LIKE '%$newArrKeywords[0]%' OR `summary` LIKE '%$newArrKeywords[0]%'"; $strKeyword = $newArrKeywords[0]; } $arrLink[] = 'keywords=' . urlencode(trim($_REQUEST['keywords'])); }else check::AlertExit("错误:关键词必须填写!",-1); if (empty($_GET['page'])) { $intPage = 1 ; } else { $intPage =...
### 简要描述: 多个文件SQL注入 ### 详细说明: search.php(BIWEB企业版几乎所有的该文件都存在这个问题) 举例:Product/search.php 文件24-60行(不止这一处) ``` if(!empty($_REQUEST['product_name'])){ $strKeywords = strval(urldecode(trim($_REQUEST['product_name'])));//只是进行了简单的过滤空格和url解码 $arrKeywords = explode(" ",$strKeywords);//将关键词用空格进行分割 $newArrKeywords = array(); foreach($arrKeywords as $val){ if(trim($val)!=""){ $newArrKeywords[] = $val; //不为空则赋值 } } if(count($newArrKeywords)>1){//为数组时的逻辑处理 foreach($newArrKeywords as $key=>$val){ $arrWhere[] = "`title` LIKE '%$val%' OR `summary` LIKE '%$val%' OR `intro` LIKE '%$val%'";//这里进行了SQL语句的拼接,变量val可控 if($key!=0){ $strKeyword .= " , ".$val; }else{ $strKeyword .= $val; } } }else{ $arrWhere[] = "`title` LIKE '%$newArrKeywords[0]%' OR `summary` LIKE '%$newArrKeywords[0]%'"; $strKeyword = $newArrKeywords[0]; } $arrLink[] = 'keywords=' . urlencode(trim($_REQUEST['keywords'])); }else check::AlertExit("错误:关键词必须填写!",-1); if (empty($_GET['page'])) { $intPage = 1 ; } else { $intPage = intval($_GET['page']); } $strWhere = implode(' AND ',$arrWhere); $strWhere = 'where '.$strWhere; $arrInfoList = $objWebInit->getInfoList($strWhere,' ORDER BY topflag DESC,submit_date DESC',($intPage-1)*$arrGPage['page_size'],$arrGPage['page_size'],'*'); 跟踪函数getInfoList public function getInfoList($where='',$order='',$intStartID = 0,$intListNum = 0,$field = '*',$arrData = array(),$blCount = true,$blComplex = false){ $table = $this->tablename1; $arrData=(empty($arrData)?array():$arrData); $limit = ''; if($blComplex){ if($where != '') $where .= " and id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )"; else $where = " where id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )"; } if (!empty($order)) { $limit .= $order; } if (!empty($intListNum)) $limit .= " LIMIT " . $intStartID .','. $intListNum; $blFetch = false; if($field === true) { $arrDBfield = $this->arrGPdoDB['db_table_field']; unset($arrDBfield['structon_tb']); $field = implode(',',array_keys($arrDBfield)); } $arrData = $this->selectDataG($table,$where,$limit,$field,$blFetch,$arrData,$blCount);//关键在这里,终于进入数据库查询函数 selectDataG,造成注入 if(isset($arrData[0]['structon_tb'])) $arrData = $this->loadTableFieldG($arrData); return $arrData; } ``` ### 漏洞证明: 加单引号报错: [<img src="https://images.seebug.org/upload/201401/24152208e6c463ff3b962c589fcb28ebdab5c6b0.png" alt="aaa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/24152208e6c463ff3b962c589fcb28ebdab5c6b0.png) 下图可以看到在数据库中的运算 [<img src="https://images.seebug.org/upload/201401/2415230001dc07045ee6135ad2b2fcf603959462.png" alt="sss.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/2415230001dc07045ee6135ad2b2fcf603959462.png)
