### 简要描述:
某文件对于从数据库中读取的变量未过滤,放入其他的sql语句中,造成二次sql注入
### 详细说明:
文件\interface\public.php中:
```
$ec_member_username_id = $this->member_cookieview('userid');
if ($ec_member_username_id) {
$rsMember = $this->get_member_attvalue($ec_member_username_id);
}
$userid = $ec_member_username_id ? $ec_member_username_id : 0;
$name = $rsMember['alias'] ? $rsMember['alias'] : '';
$sex = $rsMember['sex'] ? $rsMember['sex'] : 0;
$tel = $rsMember['tel'] ? $rsMember['tel'] : '';
$address = $rsMember['address'] ? $rsMember['address'] : '';
$db_field = 'mlvid,userid,name,sex,email,tel,address,isclass,addtime';
$db_values = "$mlvid,$userid,'$name',$sex,'$email','$tel','$address',1,$addtime";
$this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')');
```
关键代码:$address = $rsMember['address'] ? $rsMember['address'] : '';
$address是从数据库中获取到当前用户个人信息的详细地址,字段address在数据库中为varchar类型,最长字符数255
[<img src="https://images.seebug.org/upload/201305/1400432662063c7768b53959bc94038a93579ff6.jpg" alt="c.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1400432662063c7768b53959bc94038a93579ff6.jpg)
字段address可以被用户控制,构造特殊的sql语句
### 漏洞证明:
先修改个人信息:
[<img src="https://images.seebug.org/upload/201305/14004712cb58cc8abe37d184f247c4dd3a92d330.jpg" alt="d.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/14004712cb58cc8abe37d184f247c4dd3a92d330.jpg)
再访问如下url:
http://127.0.0.1/index.php?ac=public&at=invite&mlvid=999&email=ipp@126.com
输出sql语句:
[<img src="https://images.seebug.org/upload/201305/140048109eab331968f73fa4b39507eeff5e9ed7.jpg" alt="e.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/140048109eab331968f73fa4b39507eeff5e9ed7.jpg)
京公网安备 11010502034610号
暂无评论