### 简要描述:
过滤不严。无需单引号。同一文件。
### 详细说明:
在inc/user/alipay/alipayapi.php中
```
$out_trade_no = $_POST['WIDout_trade_no'];//可控
//商户网站订单系统中唯一订单号,必填
//订单名称
$subject = $_POST['WIDsubject'];
//必填
//付款金额
$price = $_POST['WIDprice'];
//必填
//商品数量
$quantity = "1";
//必填,建议默认为1,不改变值,把一次交易看成是一次下订单而非购买一件商品
//物流费用
$logistics_fee = "0.00";
//必填,即运费
//物流类型
$logistics_type = "EXPRESS";
//必填,三个值可选:EXPRESS(快递)、POST(平邮)、EMS(EMS)
//物流支付方式
$logistics_payment = "SELLER_PAY";
//必填,两个值可选:SELLER_PAY(卖家承担运费)、BUYER_PAY(买家承担运费)
//订单描述
$body = $_POST['WIDbody'];
//商品展示地址
$show_url = $_POST['WIDshow_url'];
//需以http://开头的完整路径,如:http://www.xxx.com/myorder.html
//收货人姓名
$receive_name = $_POST['WIDreceive_name'];
//如:张三
//收货人地址
$receive_address = $_POST['WIDreceive_address'];
//如:XX省XXX市XXX区XXX路XXX小区XXX栋XXX单元XXX号
//收货人邮编
$receive_zip = $_POST['WIDreceive_zip'];
//如:123456
//收货人电话号码
$receive_phone = $_POST['WIDreceive_phone'];
//如:0571-88158090
//收货人手机号码
$receive_mobile = $_POST['WIDreceive_mobile'];
//如:13312341234
/************************************************************/
//构造要请求的参数数组,无需改动
$parameter = array(
"service" => "trade_create_by_buyer",
"partner" => trim($alipay_config['partner']),
"payment_type" => $payment_type,
"notify_url" => $notify_url,
"return_url" => $return_url,
"seller_email" => $alipay_config['no'],
"out_trade_no" => $out_trade_no,
"subject" => $subject,
"price" => $price,
"quantity" => $quantity,
"logistics_fee" => $logistics_fee,
"logistics_type" => $logistics_type,
"logistics_payment" => $logistics_payment,
"body" => $body,
"show_url" => $show_url,
"receive_name" => $receive_name,
"receive_address" => $receive_address,
"receive_zip" => $receive_zip,
"receive_phone" => $receive_phone,
"receive_mobile" => $receive_mobile,
"_input_charset" => trim(strtolower($alipay_config['input_charset']))
);
$db = new AppDb($MAC['db']['server'],$MAC['db']['user'],$MAC['db']['pass'],$MAC['db']['name']);
$sql = 'select count(*) from {pre}user_pay where p_order='.$out_trade_no;
$num = $db->getOne($sql);
if($num>0){
showErr('System',"订单号错误无法提交数据");
}
else{
$db->Add('{pre}user_pay',array('p_uid','p_order','p_price','p_point','p_time'),array($_SESSION["userid"],$out_trade_no,$price,$price*$MAC['pay']['app']['exc'],time()));
}
```
可以看到 直接带入了下面的这两个查询当中 其中一个语句还不需要单引号
所以就不需要考虑gpc了。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201403/15224801ead5f57d78ba92a658382d548ee43e45.jpg" alt="19.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15224801ead5f57d78ba92a658382d548ee43e45.jpg)
[<img src="https://images.seebug.org/upload/201403/15224812a1628b2fba99cd4ad9a7ed7f93feaba4.jpg" alt="20.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15224812a1628b2fba99cd4ad9a7ed7f93feaba4.jpg)
剩下的就能直接注入了。
京公网安备 11010502034610号
暂无评论