利用ecshop v2.7.2的鸡肋注入:
02
03 /flow.php
04 ..................................
05
06 elseif ($_REQUEST['step'] == 'update_cart')
07 {
08 if (isset($_POST['goods_number']) && is_array($_POST['goods_number']))
09 {
10 flow_update_cart($_POST['goods_number']);
11 }
12
13 show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php');
14 exit;
15 }
16
17 ...................................
18 function flow_update_cart($arr)
19 {
20 /* 处理 */
21 foreach ($arr AS $key => $val)
22 {
23 $val = intval(make_semiangle($val));
24 if ($val <= 0)
25 {
26 continue;
27 }
28
29 //查询:
30 $sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart').
31 " WHERE rec_id='$key' AND session_id='" . SESS_ID . "'";
32 $goods = $GLOBALS['db']->getRow($sql);
33 ........................................
34
35 $_POST['goods_number']变量没有过滤,magic_quotes_gpc=off的情况下可型成注入漏洞,漏洞原理请参考http://www.80vul.com/pch/pch-005.txt