PHPSHE 二次注入一枚

### 简要描述： rt ### 详细说明： ``` case 'register': if (isset($_p_pesubmit)) { if($db->pe_num('user', array('user_name'=>pe_dbhold($_g_user_name)))) pe_error('用户名已存在...'); if($db->pe_num('user', array('user_email'=>pe_dbhold($_g_user_email)))) pe_error('邮箱已存在...'); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); $sql_set['user_email'] = $_p_user_email; $sql_set['user_ip'] = pe_ip(); $sql_set['user_atime'] = $sql_set['user_ltime'] = time(); if ($user_id = $db->pe_insert('user', pe_dbhold($sql_set))) { add_pointlog($user_id, 'reg', $cache_setting['point_reg'], '注册帐号'); $info = $db->pe_select('user', array('user_id'=>$user_id)); $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name']; $_SESSION['pe_token'] = pe_token_set($_SESSION['user_idtoken']); //未登录时的购物车列表入库 if (is_array($cart_list = unserialize($_c_cart_list))) { foreach ($cart_list as $k => $v) { $cart_info['cart_atime'] = time(); $cart_info['product_id'] = $k; $cart_info['product_num'] = $v['product_num']; $cart_info['user_id'] = $info['user_id']; $db->pe_insert('cart', pe_dbhold($cart_info)); ``` 用户注册时 ，进行了转义， 然后登入时将完整的值带入了session ``` case 'login': if (isset($_p_pesubmit)) { $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); if ($info = $db->pe_select('user', pe_dbhold($sql_set))) { $db->pe_update('user', array('user_id'=>$info['user_id']), array('user_ltime'=>time())); if (!$db->pe_num('pointlog', " and `user_id` = '{$info['user_id']}' and `pointlog_type` = 'reg' and `pointlog_text` = '登录帐号' and `pointlog_atime` >= '".strtotime(date('Y-m-d'))."'")) { add_pointlog($info['user_id'], 'reg', $cache_setting['point_login'], '登录帐号'); } $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name']; ``` 在 D:/wamp/www/module/index/order.php出库了 ``` case 'comment': $order_id = pe_dbhold($_g_id); $info = $db->pe_select('order', array('order_id'=>$order_id, 'user_id'=>$_s_user_id)); if (!$info['order_id']) pe_error('参数错误...'); $info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id)); if (isset($_p_pesubmit)) { pe_token_match(); if ($info['order_comment']) pe_error('请勿重复评价...'); foreach ($info_list as $k=>$v) { $sql_set[$k]['comment_star'] = intval($_p_comment_star[$v['product_id']]); $sql_set[$k]['comment_text'] = pe_dbhold($_p_comment_text[$v['product_id']]); $sql_set[$k]['comment_atime']= time(); $sql_set[$k]['product_id'] = $v['product_id']; $sql_set[$k]['order_id'] = $order_id; $sql_set[$k]['user_ip'] = pe_dbhold(pe_ip()); $sql_set[$k]['user_id'] = $_s_user_id; $sql_set[$k]['user_name'] = $_s_user_name; if (!$sql_set[$k]['comment_text']) pe_error('评价内容必须填写...'); } if ($db->pe_insert('comment', $sql_set)) { order_callback('comment', $order_id); pe_success('评价成功!'); ``` 我们注册个用户 aaaaaaa' ,购买商品后评价，可以看到 单引号带入了。 [<img src="https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png) 盲注。