### 简要描述: null ### 详细说明: switch ($_POST['act']) { case 'search_goods_list': search_goods_list(); break; case 'search_products_list': search_products_list(); break; ...... } function search_products_list() { check_auth(); ...... if (!empty($_POST['goods_id']) && is_numeric($_POST['goods_id']) || !empty($_POST['bn'])) //goods_id不为数字,bn不为空.假假得假,假真得真. { $sql = 'SELECT goods_id, last_update AS last_modify, shop_price AS price, goods_sn AS bn, goods_name AS name, goods_weight AS weight, goods_number AS store, add_time AS uptime' . ' FROM ' . $GLOBALS['ecs']->table('goods') . ' WHERE ' . empty($_POST['bn']) ? "goods_id = $_POST[goods_id]" : "goods_sn = $_POST[bn]"; //bn带入查询. $goods_data = $GLOBALS['db']->getRow($sql); ...... } function search_goods_list() { ...... $page = empty($_POST['pages']) ? 1 : $_POST['pages']; //没过滤 $counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //没过滤. 1 union select 1,user() $sql = 'SELECT goods_id, last_update AS last_modify' . ' FROM ' ....
### 简要描述: null ### 详细说明: switch ($_POST['act']) { case 'search_goods_list': search_goods_list(); break; case 'search_products_list': search_products_list(); break; ...... } function search_products_list() { check_auth(); ...... if (!empty($_POST['goods_id']) && is_numeric($_POST['goods_id']) || !empty($_POST['bn'])) //goods_id不为数字,bn不为空.假假得假,假真得真. { $sql = 'SELECT goods_id, last_update AS last_modify, shop_price AS price, goods_sn AS bn, goods_name AS name, goods_weight AS weight, goods_number AS store, add_time AS uptime' . ' FROM ' . $GLOBALS['ecs']->table('goods') . ' WHERE ' . empty($_POST['bn']) ? "goods_id = $_POST[goods_id]" : "goods_sn = $_POST[bn]"; //bn带入查询. $goods_data = $GLOBALS['db']->getRow($sql); ...... } function search_goods_list() { ...... $page = empty($_POST['pages']) ? 1 : $_POST['pages']; //没过滤 $counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //没过滤. 1 union select 1,user() $sql = 'SELECT goods_id, last_update AS last_modify' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)". " LIMIT ".($page - 1) * $counts . ', ' . $counts;//联合查询select...limit 1,1 union select 1,user() $date_arr = $GLOBALS['db']->getAll($sql); ) function check_auth() { $license = get_shop_license(); // 取出网店 license信息 if (empty($license['certificate_id']) || empty($license['token']) || empty($license['certi'])) { api_err('0x006', 'no certificate'); //没有证书数据,输出系统级错误:用户权限不够 } if (!check_shopex_ac($_POST, $license['token'])) //带入token,需要知道数据库里token的值. { api_err('0x009'); //输出系统级错误:签名无效 } /* 对应用申请的session进行验证 */ $certi['certificate_id'] = $license['certificate_id']; // 网店证书ID $certi['app_id'] = 'ecshop_b2c'; // 说明客户端来源 $certi['app_instance_id'] = 'webcollect'; // 应用服务ID $certi['version'] = VERSION . '#' . RELEASE; // 网店软件版本号 $certi['format'] = 'json'; // 官方返回数据格式 $certi['certi_app'] = 'sess.valid_session'; // 证书方法 $certi['certi_session'] = $_POST['app_session']; //应用服务器申请的session值 $certi['certi_ac'] = make_shopex_ac($certi, $license['token']); // 网店验证字符串 $request_arr = exchange_shop_license($certi, $license); if ($request_arr['res'] != 'succ') { api_err('0x001', 'session is invalid'); //输出系统级错误:身份验证失败 } } function check_shopex_ac($post_params,$token) { ksort($post_params); $str = ''; foreach($post_params as $key=>$value) { if ($key!='ac') { $str.=$value; } } if ($post_params['ac'] == md5($str.$token))//ac的值要等于提交的参数加上$license['token']的值的md5码. { return true; } else { return true; } } ### 漏洞证明: [<img src="https://images.seebug.org/upload/201309/05155603b6f89adbece5160845ffd090f261a531.jpg" alt="QQ图片20130905155707.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/05155603b6f89adbece5160845ffd090f261a531.jpg) [<img src="https://images.seebug.org/upload/201309/05155911e913f01556afc7e10a39b8b08c7895fc.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/05155911e913f01556afc7e10a39b8b08c7895fc.jpg)
