Thinksaas SQL注入漏洞

### 简要描述： Thinksaas SQL注入#5 ### 详细说明： Thinksaas SQL注入#5 积分兑换——物品编辑处，sql注入。 第一处：/app/redeem/action/edit.php ``` case "do": $goodsid = intval($_POST['goodsid']); $cateid = intval($_POST['cateid']); $title = trim($_POST['title']);//问题在这里 $content = trim($_POST['content']);//问题在这里 $nums = intval($_POST['nums']); $scores = intval($_POST['scores']); $return = intval($_POST['return']); $new['redeem']->update('redeem_goods',array( 'goodsid'=>$goodsid, ),array( 'cateid'=>$cateid, 'title'=>$title,//问题在这里 'content'=>$content,//问题在这里 'nums'=>$nums, 'scores'=>$scores, 'return'=>$return, )); ``` 这里没有过滤，进入update： ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 也没有过滤row的内容，导致我们的输入进入sql语句，造成注入。 ### 漏洞证明： 新看看正常的积分兑换物品： [<img src="https://images.seebug.org/upload/201312/2311241693cc61ffbb5707be80db63e3448d420c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2311241693cc61ffbb5707be80db63e3448d420c.png) 编辑物品，输入如下： [<img src="https://images.seebug.org/upload/201312/23112431ad805bb912dcc6cb8c192b82bb211250.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/23112431ad805bb912dcc6cb8c192b82bb211250.png) 修改后，看看结果： [<img src="https://images.seebug.org/upload/201312/2311244673b9d0199b82a83fe0ba6fabba8c475e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2311244673b9d0199b82a83fe0ba6fabba8c475e.png) ok