LxBlog 5.3 注入漏洞_Mr

查看文章

LxBlog 5.3 注入漏洞

2009-03-22 02:37

by:xhming

漏洞代码:

user/userhobby.php

}elseif($_POST['step']==2){
        $uphobby = '';
        if (!empty($userhobby) && is_array($userhobby)) {                                  //注意!
                $db->update("DELETE FROM pw_userhobby WHERE uid='$admin_uid'");
                $userhobby = array_unique($userhobby);
                $uphobby = 'INSERT INTO pw_userhobby(uid,hobbyid) VALUES';
                $hadd = $update = '';
                foreach($userhobby as $key=>$val){
                        $uphobby .= "$hadd('$admin_uid','$val')";
                        $update .= "$hadd'$val'";
                        $hadd = ',';
                }
        }
        $uphobby && $db->update($uphobby);
        if ($update) {                                                                                               //没过滤
                $hobbydb = array();
                $query = $db->query("SELECT id,name FROM pw_hobbyitem WHERE id IN ($update) AND ifcheck=1 ORDER BY vieworder");
                while ($rt=$db->fetch_array($query)) {
                        $hobbydb[$rt['id']] = $rt['name'];
                }
                Strip_S($hobbydb);
                $hobbydb && $db->update("UPDATE pw_userinfo SET hobbydb='".addslashes(serialize($hobbydb))."' WHERE uid='$admin_uid'");
        }
        usermsg('operate_success',$basename);
}

?>
       虽然$update变量有初始化,但我们可以绕过!只需提交$userhobby变量并且不为数组,或直接干脆不提交这个变量就可绕过了l

类别：原创 | 添加到搜藏 | 浏览() | 评论 (0)

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	请点击后输入四位验证码，字母不区分大小写看不清?
	取消回复