### 简要描述:
PHPSHE B2C商城系统 v1.2(build 20140519 UTF8)
### 详细说明:
在index.php中
```
$cache_category_arr = cache::get('category_arr');
$cache_class = cache::get('class');
$cache_ad = cache::get('ad');
$cache_link = cache::get('link');
$cache_page = cache::get('page');
$web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array();
$cart_num = pe_login('user') ? $db->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
if (!$db->pe_num('iplog', array('iplog_ip'=>pe_ip(), 'iplog_adate'=>date('Y-m-d')))) {
```
```
function pe_ip()
{
if (isset($_SERVER)){
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
$realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else if (isset($_SERVER["HTTP_CLIENT_IP"])) {
$realip = $_SERVER["HTTP_CLIENT_IP"];
} else {
$realip = $_SERVER["REMOTE_ADDR"];
}
} else {
if (getenv("HTTP_X_FORWARDED_FOR")){
$realip = getenv("HTTP_X_FORWARDED_FOR");
} else if (getenv("HTTP_CLIENT_IP")) {
$realip = getenv("HTTP_CLIENT_IP");
} else {
$realip = getenv("REMOTE_ADDR");
}
}
return $realip;
```
未过滤。 XFF可控。 带入查询 造成注入。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/23212103cd7297468d859026bceb761961cc56a6.jpg" alt="ps2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/23212103cd7297468d859026bceb761961cc56a6.jpg)
报错了。。
[<img src="https://images.seebug.org/upload/201405/23212121c56262f0cf2b74df4ac43a5cb0723272.jpg" alt="ps3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/23212121c56262f0cf2b74df4ac43a5cb0723272.jpg)
带入查询。 可注入了。
京公网安备 11010502034610号
暂无评论