phpweb下的一套酒店系统。
news/html/index.php
//定义模块名和页面名 PageSet("news","detail");
跟踪PageSet函数。
function pageset( $coltype, $pagename ) { global $GLOBALS['msql']; $msql->query( "select * from {P}_base_pageset where coltype='{$coltype}' and pagename='{$pagename}'" ); //....省略代码N行
变量$coltype,$pagename未经过任何过滤直接代入query()方法
跟踪query()
function query( $Query_String ) { $Query_String = str_replace( "{P}", $this->TablePre, $Query_String ); $this->connect( ); $this->Query_ID = mysql_query( $Query_String, $this->Link_ID ); $this->Row = 0; $this->Errno = mysql_errno( ); $this->Error = mysql_error( ); if ( !$this->Query_ID ) { $this->halt( "Invalid SQL: ".$Query_String ); } return $this->Query_ID; }
变量$Query_String直接代入查询
EXP:http://127.0.0.1/news/html/?384' and 1=1 and ''='.html
上传地方。
//上传图片校验权限 SecureMember(); if(SecureFunc("124")==false){ alert("您的会员帐号没有上传图片的权限"); } //............. //有上传文件时 $file_path = $save_path.$_POST['fileName'];//这里 //............. //移动文件 if (move_uploaded_file($tmp_name, $file_path) === false) {//这里 alert("上传文件失败。"); } }
跟踪SecureMember();SecureFunc,函数
function securemember( ) { if ( !isset( $_COOKIE['MUSER'] ) || !isset( $_COOKIE['ZC'] ) || $_COOKIE['MUSER'] == "" || $_COOKIE['ZC'] == "" || $_COOKIE['MEMBERTYPEID'] == "" )//cookie验证 { echo "<script>top.location='".ROOTPATH."member/login.php'</script>"; exit( ); } else { $md5 = md5( $_COOKIE['MUSER']."76|01|14".$_COOKIE['MEMBERID'].$_COOKIE['MEMBERTYPE'].$_COOKIE['SE'] ); if ( $_COOKIE['ZC'] != $md5 ) { echo "<script>top.location='".ROOTPATH."member/login.php'</script>"; exit( ); } } } function securefunc( $secureid ) { $GLOBALS['fsql']; $memberid = $_COOKIE['MEMBERID']; $fsql->query( "select id from {P}_member_rights where memberid='{$memberid}' and secureid='{$secureid}'" );//直接用cookie获取$memberid if ( $fsql->next_record( ) ) { return true; } //............. }
function secureclass( $secureid ) { $GLOBALS['fsql']; $memberid = $_COOKIE['MEMBERID']; $fsql->query( "select secureset from {P}_member_rights where memberid='{$memberid}' and secureid='{$secureid}'" ); if ( $fsql->next_record( ) ) { $secureset = $fsql->f( "secureset" ); return $secureset; } //............. }
目测SecureMember函数验证由COOKIE完成。
SecureFunc验证除纯在sql注入。
这里我构造失败。
留言评论(旧系统):