PHPSHE电商程序SQL注入4

### 简要描述： PHPSHE电商程序SQL注入漏洞#4 ### 详细说明： 在删除购物车商品时，参数未过滤直接带入sql语句执行，导致SQL注入。 在/module/index/order.php文件： ``` //#####################@ 购物车商品删除 @#####################// case 'cartdel': $money['order_productmoney'] = $money['order_wlmoney'] = $money['order_money'] = 0; if (pe_login('user')) { $result = $db->pe_delete('cart', array('user_id'=>$_s_user_id, 'product_id'=>$_g_product_id));//漏洞存在这里 } else { $cart_list = unserialize($_c_cart_list); unset($cart_list[$_g_product_id]); $result = is_array($cart_list[$_g_product_id]) ? false : true; setcookie('cart_list', serialize($cart_list), 0, '/'); } $cart_info = cart_info($cart_list); echo json_encode(array('result'=>$result, 'money'=>$cart_info['money'])); break; ``` Pe_delect函数/include/class/db.class.php如下： ``` public function pe_delete($table, $where = '') { //处理条件语句 $sqlwhere = $this->_dowhere($where); return $this->sql_delete("delete from `".dbpre."{$table}` {$sqlwhere}"); } protected function _dowhere($where) { if (is_array($where)) { foreach ($where as $k => $v) { if (is_array($v)) { $where_arr[] = "`{$k}` in('".implode("','", $v)."')"; } else { in_array($k, array('order by', 'group by')) ? ($sqlby = " {$k} {$v}") : ($where_arr[] = "`{$k}` = '{$v}'"); } } $sqlwhere = is_array($where_arr) ? 'where '.implode($where_arr, ' and ').$sqlby : $sqlby; } else { $where && $sqlwhere = (stripos(trim($where), 'order by') === 0 or stripos(trim($where), 'group by') === 0) ? "{$where}" : "where 1 {$where}"; } return $sqlwhere; } public function sql_delete($sql) { $this->query($sql); $result = mysql_affected_rows(); return $result > 0 ? $result : 0; } ``` 参数$_g_product_id没有过滤直接进入delete语句中导致sql注入。 ### 漏洞证明： 我们来删除购物车中的商品，在product_id参数处，加入错误的sql语句： [<img src="https://images.seebug.org/upload/201312/2422000467fd8a410c0388cf1d5917c178a73ae7.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2422000467fd8a410c0388cf1d5917c178a73ae7.png) 我们的sql语句带入执行了，条件不成立，result返回为0，删除失败。 [<img src="https://images.seebug.org/upload/201312/24220016948379039a3db2f05ec62bd2dd77556b.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/24220016948379039a3db2f05ec62bd2dd77556b.png) 输入正确的sql语句，条件成了，删除成功，然会为1.