PHPB2B三处sql注入

### 简要描述： 三处sql注射打包 ### 详细说明： \virtual-office\offer.php: ``` if (isset($_POST['del']) && !empty($_POST['tradeid'])) { $tRes = $trade->del($_POST['tradeid'], "member_id = ".$the_memberid); if($tRes) $pdb->Execute("DELETE from {$tb_prefix}tradefields WHERE member_id={$the_memberid} AND trade_id IN (".implode(",",$_POST['tradeid']).")");//注入1:没有过滤，也没有引号保护，直接进入sql语句 } if(isset($_POST['refresh'])){ if (!empty($_POST['refresh']) && !empty($_POST['tradeid'])) { $vals = array(); $pre_submittime = $pdb->GetOne("select max(submit_time) from {$tb_prefix}trades where member_id=".$the_memberid); if ($pre_submittime>($time_stamp-$tMaxDay*86400)) { flash("allow_refresh_day"); } $vals['submit_time'] = $time_stamp; $vals['expire_days'] = 10; $vals['expire_time'] = $time_stamp+(24*3600*$vals['expire_days']); $conditions[]= "status='1'"; $ids = implode(",", $_POST['tradeid']);//注入2 ，同上 $conditions[]= "id in (".$ids.")"; $condition = implode(" AND ", $conditions); $sql = "update ".$trade->getTable()." set submit_time=".$time_stamp.",expire_days=10,expire_time=".$vals['expire_time']." where ".$condition; $result = $pdb->Execute($sql); if ($result) { flash("success"); }else{ flash("action_failed"); } } } ``` \virtual-office\link.php: ``` if (isset($_POST['delete'])) { $deleted = false; if (is_array($_POST['id'])) { //注入3 $ids = "(".implode(",", $_POST['id']).")"; //也没有引号保护 $deleted = $pdb->Execute("DELETE FROM {$tb_prefix}spacelinks WHERE member_id={$the_memberid} AND id IN $ids"); if($deleted){ flash("success"); }else{ flash(); } }else{ flash("no_data_deleted"); } } ``` ### 漏洞证明： 注册企业会员，发布供求信息，然后删除: [<img src="https://images.seebug.org/upload/201501/21144106a7b9caa5fd4707a33fbf0302d1e7d483.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/21144106a7b9caa5fd4707a33fbf0302d1e7d483.png) sql日志: [<img src="https://images.seebug.org/upload/201501/2114412932ba6708ef539ee53f55341b6916ee48.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2114412932ba6708ef539ee53f55341b6916ee48.png) 注入二: [<img src="https://images.seebug.org/upload/201501/21144150a618e856a1ad4afe7106641fc8898e98.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/21144150a618e856a1ad4afe7106641fc8898e98.png) sql日志: [<img src="https://images.seebug.org/upload/201501/2114502728aa6a8712b2e4864e448e7034b64457.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2114502728aa6a8712b2e4864e448e7034b64457.png) 第三处注入: 添加合作伙伴，然后删除： http://localhost/phpb2b/virtual-office/link.php?do=edit [<img src="https://images.seebug.org/upload/201501/2114455153ee946abd2a4f9e1d6eb8ffd5fbc129.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2114455153ee946abd2a4f9e1d6eb8ffd5fbc129.png) sql日志: [<img src="https://images.seebug.org/upload/201501/21144606c94aa8363ffb4e94fb062a3a519d15ef.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/21144606c94aa8363ffb4e94fb062a3a519d15ef.png)