该漏洞出现在对参数传递内容没有进行过滤和转义导致的SQL注入,下面对代码进行详细分析。
首先在COrderManagement.php的第62行
```
$name=$_POST['dispname'];
$shipname=$_POST['shipname'];
$orderid=$_POST['orderid'];
$fromdate=$_POST['txtfromdate'];
$todate=$_POST['txttodate'];
$orderdate=$_POST['orderdate'];
$billname=$_POST['billname'];
$ordertotalto=$_POST['ordertotalto'];
$ordertotalfrom=$_POST['ordertotalfrom'];
$orderstatus=$_POST['selorderstatus'];
$sql='select a.orders_id,a.customers_id,a.order_ship,a.currency_id,q.id,q.currency_tocken,b.user_display_name as Name,a.date_purchased,a.billing_name,a.billing_company,a.billing_street_address,a.billing_suburb,a.billing_city,a.billing_postcode,a.billing_state,d.cou_name as billing_country,a.shipping_name,a.shipping_company,a.shipping_street_address,a.shipping_suburb,a.shipping_city,a.shipping_postcode,a.shipping_state,e.cou_name as shipping_country,c.orders_status_name,c.orders_status_id,a.order_total,f.gateway_name,g.shipment_name from orders_table a inner join users_table b on a.customers_id=b.user_id inner join orders_status_table c on c.orders_status_id=a.orders_status inner join country_table d on d.cou_code=a.billing_country inner join country_table e on e.cou_code=a.shipping_country inner join paymentgateways_table f on f.gateway_id=a.payment_method left join shipments_master_table g on g.shipment_id=a.shipment_id_selected left join currency_master_table q on q.id=a.currency_id';
```
可以看到这里通过POST方法获取参数值,然后看第74行
```
if($name!='')
{
$condition []= " b.user_display_name like '%".$name."%'";
}
if($orderid!='')
{
$condition[]= " a.orders_id='".$orderid."'";
}
if($billname!='')
{
$condition []= " a.billing_name like '%".$billname."%'";
}
if($orderstatus!='')
{
$condition []= " a.orders_status='".$orderstatus."'";
}
if(($ordertotalfrom!='') &&($ordertotalto!=''))
{
// if((int)$ordertotalfrom>=(int)$ordertotalto)
$condition []= " a.order_total between ".$ordertotalfrom." and ".$ordertotalto;
}
if(($fromdate!='') &&($todate!=''))
{
// if($fromdate>=$todate)
$condition []= " a.date_purchased between '".$fromdate."' and '".$todate."' ";
}
if(count($condition)>0)
$sql.= ' where '. implode(' and ', $condition) .' order by a.date_purchased desc' ;
elseif(count($condition)>0)
{
$sql.= ' where '. implode('', $condition).' order by a.date_purchased desc' ;
}
else
{
$sql.=' order by a.date_purchased desc';
}
```
可以看到对于orderid和orderstatus两个传入参数,没有进行过滤和转义,直接放到condition变量里,在最后直接传SQL查询语句中。
在第120行
```
$obj=new Bin_Query();
if($obj->executeQuery($sql))
```
将SQL查询语句直接执行,导致了SQL注入。
京公网安备 11010502034610号
暂无评论