./subscribe.php这个页面存在问题
其中除了$_REQUEST['act']=='mail'选项未添加页面发送信息外,其余选项都拼接了用户发送信息。
属于post表单信息。
elseif($_REQUEST['act']=='unsubscribe') { $email_code = trim($_REQUEST['code']); //只去掉了两端预定义字符 $email = base64_decode($email_code); //简单的base64_decode编码 之后就带入了语句 if($GLOBALS['db']->getOne("select count(*) from ".DB_PREFIX."mail_list where mail_address='".$email."'")==0) { showErr($GLOBALS['lang']['MAIL_NOT_EXIST'],0,APP_ROOT); } else { send_unsubscribe_mail($email); showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_VERIFY'],0,APP_ROOT); } } elseif($_REQUEST['act']=='dounsubscribe') { $email_code = trim($_REQUEST['code']); //和以上一样的错误 $email_code = base64_decode($email_code); $arr = explode("|",$email_code); $GLOBALS['db']->query("delete from ".DB_PREFIX."mail_list where code = '".$arr[0]."' and mail_address = '".$arr[1]."'"); $rs = $GLOBALS['db']->affected_rows(); if($rs) { showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_SUCCESS'],0,APP_ROOT); } else { showErr($GLOBALS['lang']['MAIL_UNSUBSCRIBE_FAILED'],0,APP_ROOT); } }
可以看到用户输入很简单的带入了sql语句中,不过最终结果并未直接显示在页面上。还是靠页面返回信息来判断语句执行是否成功
修复方案: 过滤关键字
查看更多关于易想团购(easethink)又一个sql注入 - 网站安全 - 自学的详细内容...