### 简要描述:
phpshe 注入漏洞
### 详细说明:
```
/module/index/product.php
case 'list':
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
//搜索
$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
if ($category_id) {
$sqlwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'";
if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` //把get参数分割_之后带入查询~{$orderby[1]}";
}
else {
$sqlwhere .= " order by `product_id` desc";
}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
```
### 漏洞证明:
测试方法
http://127.0.0.1/phpshe/index.php?mod=product&act=list&orderby=a%27_b
[<img src="https://images.seebug.org/upload/201405/08180630ee009a398988b71ddba16281d5a275e9.png" alt="QQ截图20140506184802.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/08180630ee009a398988b71ddba16281d5a275e9.png)
京公网安备 11010502034610号
暂无评论