VULHUB ™

ecshop2.5.0 user.php存在sql注入漏洞 user.php 2176行： ``` else if ($action == 'order_query') { $order_sn = empty($_GET['order_sn']) ? '' : trim(substr($_GET['order_sn'], 1)); include_once(ROOT_PATH .'includes/cls_json.php'); $json = new JSON(); $result = array('error'=>0, 'message'=>'', 'content'=>''); if(isset($_SESSION['last_order_query'])) { if(time() - $_SESSION['last_order_query'] <= 10) { $result['error'] = 1; $result['message'] = $_LANG['order_query_toofast']; die($json->encode($result)); } } $_SESSION['last_order_query'] = time(); ``` 当提交order_sn=' 时，gpc会将其变为\' 而substr($_GET['order_sn'], 1)会去掉前面的\,剩下了'导致sql注入。

ecshop2.5.0 user.php存在sql注入漏洞 user.php 2176行： ``` else if ($action == 'order_query') { $order_sn = empty($_GET['order_sn']) ? '' : trim(substr($_GET['order_sn'], 1)); include_once(ROOT_PATH .'includes/cls_json.php'); $json = new JSON(); $result = array('error'=>0, 'message'=>'', 'content'=>''); if(isset($_SESSION['last_order_query'])) { if(time() - $_SESSION['last_order_query'] <= 10) { $result['error'] = 1; $result['message'] = $_LANG['order_query_toofast']; die($json->encode($result)); } } $_SESSION['last_order_query'] = time(); ``` 当提交order_sn=' 时，gpc会将其变为\' 而substr($_GET['order_sn'], 1)会去掉前面的\,剩下了'导致sql注入。