###漏洞分析 首先来看includes/init.php文件,在get_magic_quotes_gpc()为off时则调用addslashes_deep() ``` // includes/init.php if (!get_magic_quotes_gpc()) { if (!emptyempty($_GET)) { $_GET = addslashes_deep($_GET); } if (!emptyempty($_POST)) { $_POST = addslashes_deep($_POST); } $_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); } ``` addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理,来看includes/lib_base.php文件 ``` // includes/lib_base.php function addslashes_deep($value) { if (emptyempty($value)) { return $value; } else { return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value); // 只处理了数组的值:) } } ``` 下面看存在漏洞的文件 pick_out.php ``` if (!empty($_GET['attr'])) { $attr_table = ''; $attr_where = ''; $attr_url = ''; $i = 0; $goods_result = ''; foreach ($_GET['attr'] AS $key => $value) //$key没有做任何处理 { $attr_url .= '&attr[' . $key . ']=' . $value; $attr_picks[] = $key; if ($i > 0) { if (empty($goods_result)) { break; } $goods_result =...
###漏洞分析 首先来看includes/init.php文件,在get_magic_quotes_gpc()为off时则调用addslashes_deep() ``` // includes/init.php if (!get_magic_quotes_gpc()) { if (!emptyempty($_GET)) { $_GET = addslashes_deep($_GET); } if (!emptyempty($_POST)) { $_POST = addslashes_deep($_POST); } $_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); } ``` addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理,来看includes/lib_base.php文件 ``` // includes/lib_base.php function addslashes_deep($value) { if (emptyempty($value)) { return $value; } else { return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value); // 只处理了数组的值:) } } ``` 下面看存在漏洞的文件 pick_out.php ``` if (!empty($_GET['attr'])) { $attr_table = ''; $attr_where = ''; $attr_url = ''; $i = 0; $goods_result = ''; foreach ($_GET['attr'] AS $key => $value) //$key没有做任何处理 { $attr_url .= '&attr[' . $key . ']=' . $value; $attr_picks[] = $key; if ($i > 0) { if (empty($goods_result)) { break; } $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attr_value='$value'"); } else { $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE attr_id='$key' AND attr_value='$value'"); } $i++; } ``` 由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞.
