### 简要描述: 某文件对于从数据库中读取的变量未过滤,放入其他的sql语句中,造成二次sql注入 ### 详细说明: 文件\interface\public.php中: ``` $ec_member_username_id = $this->member_cookieview('userid'); if ($ec_member_username_id) { $rsMember = $this->get_member_attvalue($ec_member_username_id); } $userid = $ec_member_username_id ? $ec_member_username_id : 0; $name = $rsMember['alias'] ? $rsMember['alias'] : ''; $sex = $rsMember['sex'] ? $rsMember['sex'] : 0; $tel = $rsMember['tel'] ? $rsMember['tel'] : ''; $address = $rsMember['address'] ? $rsMember['address'] : ''; $db_field = 'mlvid,userid,name,sex,email,tel,address,isclass,addtime'; $db_values = "$mlvid,$userid,'$name',$sex,'$email','$tel','$address',1,$addtime"; $this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')'); ``` 关键代码:$address = $rsMember['address'] ? $rsMember['address'] : ''; $address是从数据库中获取到当前用户个人信息的详细地址,字段address在数据库中为varchar类型,最长字符数255 [<img...
### 简要描述: 某文件对于从数据库中读取的变量未过滤,放入其他的sql语句中,造成二次sql注入 ### 详细说明: 文件\interface\public.php中: ``` $ec_member_username_id = $this->member_cookieview('userid'); if ($ec_member_username_id) { $rsMember = $this->get_member_attvalue($ec_member_username_id); } $userid = $ec_member_username_id ? $ec_member_username_id : 0; $name = $rsMember['alias'] ? $rsMember['alias'] : ''; $sex = $rsMember['sex'] ? $rsMember['sex'] : 0; $tel = $rsMember['tel'] ? $rsMember['tel'] : ''; $address = $rsMember['address'] ? $rsMember['address'] : ''; $db_field = 'mlvid,userid,name,sex,email,tel,address,isclass,addtime'; $db_values = "$mlvid,$userid,'$name',$sex,'$email','$tel','$address',1,$addtime"; $this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')'); ``` 关键代码:$address = $rsMember['address'] ? $rsMember['address'] : ''; $address是从数据库中获取到当前用户个人信息的详细地址,字段address在数据库中为varchar类型,最长字符数255 [<img src="https://images.seebug.org/upload/201305/1400432662063c7768b53959bc94038a93579ff6.jpg" alt="c.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1400432662063c7768b53959bc94038a93579ff6.jpg) 字段address可以被用户控制,构造特殊的sql语句 ### 漏洞证明: 先修改个人信息: [<img src="https://images.seebug.org/upload/201305/14004712cb58cc8abe37d184f247c4dd3a92d330.jpg" alt="d.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/14004712cb58cc8abe37d184f247c4dd3a92d330.jpg) 再访问如下url: http://127.0.0.1/index.php?ac=public&at=invite&mlvid=999&email=ipp@126.com 输出sql语句: [<img src="https://images.seebug.org/upload/201305/140048109eab331968f73fa4b39507eeff5e9ed7.jpg" alt="e.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/140048109eab331968f73fa4b39507eeff5e9ed7.jpg)
