### 简要描述:
未过滤
### 详细说明:
先看写入代码:
/var/www/html/thinksaas/app/my/action/setting.php
```
case "citydo":
$province = trim($_POST['province']);
$city = trim($_POST['city']);//只过滤两处空白
//这里就直接写入数据库了
$new['my']->update('user_info',array(
'userid'=>$userid,
),array(
'province'=>$province,
'city'=>$city,
));
tsNotice("常居地更新成功!");
break;
```
Update:
```
public function update($table, $conditions, $row) {
$where = "";
if (empty ( $row ))
return FALSE;
if (is_array ( $conditions )) {
$join = array ();
foreach ( $conditions as $key => $condition ) {
$condition = $this->escape ( $condition );
$join [] = "`{$key}` = {$condition}";
}
$where = "WHERE " . join ( " AND ", $join );
} else {
if (null != $conditions)
$where = "WHERE " . $conditions;
}
foreach ( $row as $key => $value ) {
$value = $this->escape ( $value ); //只做了转义
//$vals [] = "`$key` = $value";
$vals [] = "{$key} = {$value}";
}
$values = join ( ", ", $vals );
$sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";
return $this->db->query ( $sql );
}
```
再来看取出:
/var/www/html/thinksaas/app/user/class.user.php
```
//获取一个用户的信息
function getOneUser($userid){
$strUser = $this->find('user_info',array(
'userid'=>$userid,
));
if($strUser){
$strUser['username'] = tsTitle($strUser['username']);
if($strUser['face'] && $strUser['path']){
$strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1);
}elseif($strUser['face'] && $strUser['path']==''){
$strUser['face'] = SITE_URL.'public/images/'.$strUser['face'];
}else{
//没有头像
$strUser['face'] = SITE_URL.'public/images/user_large.jpg';
}
}else{
$strUser = '';
}
return $strUser; //没任何过滤
}
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png" alt="thi1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png)
[<img src="https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png" alt="thi2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png)
京公网安备 11010502034610号
暂无评论