PHPSHE电商程序SQL注入4

### 简要描述： PHPSHE电商程序SQL注入5 ### 详细说明： 在商品列表处，有特殊参数没有过滤，导致SQL注入。 在/module/index/product.php文件。 来看看商品列表代码： ``` //#####################@ 商品列表 @#####################// case 'list': $category_id = intval($id); $info = $db->pe_select('category', array('category_id'=>$category_id)); //搜索 $sqlwhere = " and `product_state` = 1"; pe_lead('hook/category.hook.php'); if ($category_id) { $sqlwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'"; } $_g_keyword && $sqlwhere .= " and `product_name` like '%".pe_dbhold($_g_keyword)."%'"; if ($_g_orderby) { $orderby = explode('_', $_g_orderby);//将参数分割 $sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";//将分割后的参数直接带入 } else { $sqlwhere .= " order by `product_id` desc"; } $info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));//进入sql语句 //热卖排行 $product_hotlist = product_hotlist(); //当前路径 $nowpath = category_path($category_id); $seo = pe_seo($info['category_name']); include(pe_tpl('product_list.html')); break; ``` 跟进pe_selectall函数： ``` public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()) { //处理条件语句 $sqlwhere = $this->_dowhere($where); return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page); } protected function _dowhere($where) { if (is_array($where)) { foreach ($where as $k => $v) { if (is_array($v)) { $where_arr[] = "`{$k}` in('".implode("','", $v)."')"; } else { in_array($k, array('order by', 'group by')) ? ($sqlby = " {$k} {$v}") : ($where_arr[] = "`{$k}` = '{$v}'"); } } $sqlwhere = is_array($where_arr) ? 'where '.implode($where_arr, ' and ').$sqlby : $sqlby; } else { $where && $sqlwhere = (stripos(trim($where), 'order by') === 0 or stripos(trim($where), 'group by') === 0) ? "{$where}" : "where 1 {$where}"; } return $sqlwhere; } ``` 从上面的代码中看出在参数orderby处，没有过滤，导致sql注入。 ### 漏洞证明： 对orderby参数添加一下内容，如图： [<img src="https://images.seebug.org/upload/201312/24221341d2cb4da19a244031a9eb51631e5159bb.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/24221341d2cb4da19a244031a9eb51631e5159bb.png) sql语句成功执行。 这里还有报路径漏洞。