微擎系统BUG漏洞解决方法汇总(原创) - 谦信君 - 博客园

微擎系统BUG漏洞解决方法汇总(原创)

微擎微赞系统BUG漏洞解决方法汇总

弄了微擎系统来玩玩,发觉这个系统BUG还不少,阿里云的提醒都一大堆,主要是没有针对SQL注入做预防,处理的办法基本都是用转义函数。

汇总:

1、

漏洞名称:

微擎任意文件下载

漏洞文件路径:/framework/function/global.func.php

解决方法:

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

修复方法:

打开/framework/`function/global`.func.php文件

搜索

if (strexists(`$t,` `'http://')`

复制代码

找到

if (strexists(`$t,` `'http://') || strexists($t, 'https://') ||` `substr($t, 0, 2) == '//'`) {

return $src`;`

}

复制代码

替换为

if`((substr($t, 0, 7) == 'http://')||(substr($t, 0, 8) ==` `'https://')||(substr($t, 0, 2) == '//')){` `return` `$src; }`

复制代码

搞定

保存文件,上传到服务器,去安骑士上验证一下就过了。

 2、

漏洞名称:

微擎SQL注入漏洞

漏洞描述:

微擎的/web/source/mc/fans.ctrl.php中,对$_GPC['nickname']未进行SQL转义就带入数据库查询中,导致SQL注入的发生。

解决方法:

?

1

2

3

4

5

6

7

8

9

漏洞在web/source/mc/fans.ctrl.php,修复方法(代码在148行左右)

搜索

$nickname = trim(`$_GPC['nickname'`]);

修改为

$nickname = addslashes`(trim($_GPC['nickname']));`

3、

漏洞名称:

微擎文件编辑SQL注入

漏洞描述:

微擎的/web/source/site/article.ctrl.php中对$\_GPC\['template'\]、$_GPC['title']、$\_GPC\['description'\]、$_GPC['source']、$_GPC['author']参数未进行正确转义过滤,导致SQL注入的产生。

解决方法:

搜索代码 message(‘标题不能为空,请输入标题!‘); 如下图: 

在 82 行 前添加代码

  1. mysql_set_charset("gbk");
  2. $\_GPC\[‘template‘\] = mysql\_real\_escape\_string($_GPC[‘template‘]);
  3. $\_GPC\[‘title‘\] = mysql\_real\_escape\_string($_GPC[‘title‘]);
  4. $\_GPC\[‘description‘\] = mysql\_real\_escape\_string($_GPC[‘description‘]);
  5. $\_GPC\[‘source‘\] = mysql\_real\_escape\_string($_GPC[‘source‘]);
  6. $\_GPC\[‘author‘\] = mysql\_real\_escape\_string($_GPC[‘author‘]);

复制代码

修改后如图:

4、

漏洞名称:

微擎SQL注入漏洞

漏洞描述:

微擎CMS的/web/source/paycenter/wxmicro.ctrl.php中,对$post['member']['uid']输入参数未进行严格类型转义,导致SQL注入的发生

解决方法:

红色部分为新增和修改的

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

<?php

/**

* [WeEngine System] Copyright (c) 2014 WE7.CC

* WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details.

*/

defined(`'IN_IA')` `or` `exit('Access Denied');`

uni_user_permission_check(`'paycenter_wxmicro_pay'`);

$_W`'page' = '刷卡支付-微信收款'`;

$dos = array`('pay', 'query',` `'checkpay');`

$do = in_array(`$do,` `$dos) ? $do : 'pay'`;

load()->model(`'paycenter'`);

if`($do` `==` `'pay') {`

if`($_W['isajax']) {`

$post = $_GPC`['__input'];`

$fee = trim(`$post['fee']) ? trim($post['fee']) : message(error(-1,` `'订单金额不能为空'), '',` `'ajax');`

$body = trim(`$post['body']) ? trim($post['body']) : message(error(-1,` `'商品名称不能为空'), '',` `'ajax');`

$code = trim(`$post['code'`]);

$uid = intval`($post'member');`

if`($post['cash'] > 0 && empty($post['code'`])) {

message(error(-1, '授权码不能为空'`), '',` `'ajax');`

}

$total = $money = floatval`($post['fee']);`

if`(!$total) {`

message(error(-1, '消费金额不能为空'`), '',` `'ajax');`

}

$log = "系统日志:会员消费【{$total}】元"`;`

if`(`$uid > 0) {

$user = pdo_get(`'mc_members',` `array('uniacid'` `=>` `$_W['uniacid'], 'uid' => $uid`));

if`(empty($user)) {`

message(error(-1, '用户不存在'`), '',` `'ajax');`

}

$user`['groupname'] = $_W['account']['groups'][$user['groupid']]['title'`];

load()->model(`'card'`);

$card = card_setting();

load()->model(`'card'`);

$member = pdo_get(`'mc_card_members',` `array('uniacid'` `=>` `$_W['uniacid'], 'uid' => $user['uid'`]));

if`(!empty($card) && $card['status'] == 1 && !empty($member`)) {

$user`['discount'] = $card['discount'][$user['groupid'`]];

if`(!empty($user['discount']) && !empty($user'discount')) {`

if`($total` `>=` `$user'discount') {`

$log .= ",所在会员组【{$user['groupname']}】,可享受满【{$user['discount']['condition']}】元"`;`

if`($card['discount_type'] == 1) {`

$log .= "减【{$user['discount']['discount']}】元"`;`

$money = $total - $user`'discount';`

} else {

$discount = $user`'discount' * 10;`

$log .= "打【{$discount}】折"`;`

$money = $total * $user`'discount';`

}

if`(`$money < 0) {

$money = 0;

}

$log .= ",实收金额【{$money}】元"`;`

}

}

$post_money = strval`($post['fact_fee']);`

if`($post_money` `!=` `$money) {`

message(error(-1, '实收金额错误'`), '',` `'ajax');`

}

$post_credit1 = intval`($post['credit1']);`

if`(`$post_credit1 > 0) {

if`($post_credit1` `>` `$user['credit1']) {`

message(error(-1, '超过会员账户可用积分'`), '',` `'ajax');`

}

}

$post_offset_money = trim(`$post['offset_money'`]);

$offset_money = 0;

if`($post_credit1` `&&` `$card['offset_rate'] > 0 && $card['offset_max'`] >= 0) {

if (`$card['offset_max'] ==` `'0') {`

$offset_money = $post_credit1`/$card['offset_rate'];`

} else {

$offset_money = min(`$card['offset_max'],` `$post_credit1/$card['offset_rate']);`

}

if`($offset_money` `!=` `$post_offset_money) {`

message(error(-1, '积分抵消金额错误'`), '',` `'ajax');`

}

$credit1 = $post_credit1`;`

$log .= ",使用【{$post_credit1}】积分抵消【{$offset_money}】元"`;`

}

}

$credit2 = floatval`($post['credit2']);`

if`(`$credit2 > 0) {

if`($credit2` `>` `$user['credit2']) {`

message(error(-1, '超过会员账户可用余额'`), '',` `'ajax');`

}

$log .= ",使用余额支付【{$credit2}】元"`;`

}

} else {

$post`['cash'] = $post['fee'`];

}

$cash = floatval`($post['cash']);`

$sum = strval`($credit2` `+` `$cash` `+` `$offset_money);`

$money = strval`($money);`

if`($sum` `!=` `$money) {`

message(error(-1, '支付金额不等于实收金额'`), '',` `'ajax');`

}

$realname = $post`'member' ? $post['member']['realname'] :$post['member']['realname'`];

if`(`$cash <= 0) {

$data = array`(`

'uniacid' => $_W`['uniacid'],`

'uid' => $member`['uid'],`

'status' => 0,

'type' => 'wechat'`,`

'trade_type' => 'micropay'`,`

'fee' => $total`,`

'final_fee' => $money`,`

'credit1' => $post_credit1`,`

'credit1_fee' => $offset_money`,`

'credit2' => $credit2`,`

'cash' => $cash`,`

'body' => $body`,`

'nickname' => $realname`,`

'remark' => $log`,`

'clerk_id' => $_W`'user',`

'store_id' => $_W`'user',`

'clerk_type' => $_W`'user',`

'createtime' => TIMESTAMP,

'status' => 1,

'paytime' => TIMESTAMP,

'credit_status' => 1,

);

pdo_insert(`'paycenter_order',` `$data);`

load()->model(`'mc'`);

if`(`$post_credit1 > 0) {

$status = mc_credit_update(`$member['uid'],` `'credit1', -$post_credit1, array(0,` `"会员刷卡消费,使用积分抵现,扣除{$post_credit1积分}", 'system',` `$_W['user']['clerk_id'], $_W['user']['store_id'],` `$_W'user'));`

}

if`(`$credit2 > 0) {

$status = mc_credit_update(`$member['uid'],` `'credit2', -$credit2, array(0,` `"会员刷卡消费,使用余额支付,扣除{$credit2}余额", 'system',` `$_W['user']['clerk_id'], $_W['user']['store_id'],` `$_W'user'));`

}

message(error(0, '支付成功'`), url('paycenter/wxmicro'), 'ajax'`);

} else {

$log .= ",使用刷卡支付【{$cash}】元"`;`

if`(!empty($_GPC['remark'])) {`

$note = "店员备注:{$_GPC['remark']}"`;`

}

$log = $note`.$log;`

$isexist = pdo_get(`'paycenter_order',` `array('uniacid'` `=>` `$_W['uniacid'], 'auth_code' => $code`));

if`($isexist) {`

message(error(-1, '每个二维码仅限使用一次,请刷新再试'`), '',` `'ajax');`

}

$data = array`(`

'uniacid' => $_W`['uniacid'],`

'uid' => $member`['uid'],`

'status' => 0,

'type' => 'wechat'`,`

'trade_type' => 'micropay'`,`

'fee' => $total`,`

'final_fee' => $money`,`

'credit1' => $post_credit1`,`

'credit1_fee' => $offset_money`,`

'credit2' => $credit2`,`

'cash' => $cash`,`

'remark' => $log`,`

'body' => $body`,`

'nickname' => $realname`,`

'auth_code' => $code`,`

'clerk_id' => $_W`'user',`

'store_id' => $_W`'user',`

'clerk_type' => $_W`'user',`

'createtime' => TIMESTAMP,

);

pdo_insert(`'paycenter_order',` `$data);`

$id = pdo_insertid();

load()->classs(`'pay'`);

$pay = Pay::create();

$params = array`(`

'tid' => $id`,`

'module' => 'paycenter'`,`

'type' => 'wechat'`,`

'fee' => $cash`,`

'body' => $body`,`

'auth_code' => $code`,`

);

$pid = $pay`->buildPayLog($params);`

if`(is_error($pid)) {`

message(`$pid,` `'', 'ajax'`);

}

$log = pdo_get(`'core_paylog',` `array('plid'` `=>` `$pid));`

pdo_update(`'paycenter_order',` `array('pid'` `=>` `$pid, 'uniontid' => $log['uniontid']),` `array('id'` `=>` `$id));`

$data = array`(`

'out_trade_no' => $log`['uniontid'],`

'body' => $body`,`

'total_fee' => $log`['fee'] * 100,`

'auth_code' => $code`,`

'uniontid' => $log`['uniontid']`

);

$result = $pay`->buildMicroOrder($data);`

if (`$result['result_code'] ==` `'SUCCESS') {`

if`(is_error($result)) {`

message(`$result,` `'', 'ajax'`);

} else {

$status = $pay`->NoticeMicroSuccessOrder($result);`

if`(is_error($status)) {`

message(`$status,` `'', 'ajax'`);

}

message(error(0, '支付成功'`), url('paycenter/wxmicro'), 'ajax'`);

}

} else {

message(`$result,` `'', 'ajax'`);

}

}

exit`();`

}

$paycenter_records = pdo_fetchall(`"SELECT * FROM " .tablename('paycenter_order') . " WHERE uniacid = :uniacid AND clerk_id = :clerk_id ORDER BY id DESC LIMIT 0,10",` `array(':uniacid'` `=>` `$_W['uniacid'], ':clerk_id' => $_W['user']['clerk_id'`]));

$today_credit_total = pdo_fetchall(`"SELECT credit2 FROM " . tablename('paycenter_order') . " WHERE uniacid = :uniacid AND clerk_id = :clerk_id AND paytime > :starttime AND paytime < :endtime AND credit2 <> ''",` `array(':uniacid'` `=>` `$_W['uniacid'], ':clerk_id' => trim($_W'user'), ':starttime' => strtotime(date('Ymd'`)), ':endtime' => time()));

$today_wechat_total = pdo_fetchall(`"SELECT cash FROM " . tablename('paycenter_order') . " WHERE uniacid = :uniacid AND clerk_id = :clerk_id AND paytime > :starttime AND paytime < :endtime AND cash <> ''",` `array(':uniacid'` `=>` `$_W['uniacid'], ':clerk_id' => trim($_W'user'), ':starttime' => strtotime(date('Ymd'`)), ':endtime' => time()));

foreach (`$today_wechat_total as $val`) {

$wechat_total += $val`['cash'];`

}

foreach (`$today_credit_total as $val`) {

$credit_total += $val`['credit2'];`

}

$wechat_total = $wechat_total ? $wechat_total : '0'`;`

$credit_total = $credit_total ? $credit_total : '0'`;`

load()->model(`'card'`);

$card_set = card_setting();

$card_params = json_decode(`$card_set['params'`], true);

$grant_rate = $card_set`['grant_rate'];`

unset(`$card_set['params'],` `$card_set['nums'], $card_set['times'],` `$card_set['business'], $card_set['html'],` `$card_set['description'], $card_set['card_id'`]);

$card_set_str = json_encode(`$card_set`);

}

if`($do` `==` `'query') {`

if`($_W['isajax']) {`

$post = $_GPC`['__input'];`

$uniontid = trim(`$post['uniontid'`]);

load()->classs(`'pay'`);

$pay = Pay::create();

$result = $pay`->queryOrder($uniontid, 2);`

if`(is_error($result)) {`

message(`$result,` `'', 'ajax'`);

}

if`($result['trade_state'] == 'SUCCESS'`) {

$status = $pay`->NoticeMicroSuccessOrder($result);`

if`(is_error($status)) {`

message(`$status,` `'', 'ajax'`);

}

message(error(0, '支付成功'`), '',` `'ajax');`

}

message(error(-1, '支付失败,当前订单状态:' . $result`['trade_state']), '',` `'ajax');`

}

}

if (`$do == 'checkpay'`) {

if`($_W['isajax']) {`

$post = $_GPC`['__input'];`

$uniontid = trim(`$post['uniontid'`]);

load()->classs(`'pay'`);

$pay = Pay::create();

$result = $pay`->queryOrder($uniontid, 2);`

if`(is_error($result)) {`

message(`$result,` `'', 'ajax'`);

}

if`($result['trade_state'] == 'SUCCESS'`) {

$status = $pay`->NoticeMicroSuccessOrder($result);`

if`(is_error($status)) {`

message(`$status,` `'', 'ajax'`);

}

message(`$result,` `'', 'ajax'`);

}

message(`$result,` `'', 'ajax'`);

}

}

template(`'paycenter/wxmicro'`);

5、

漏洞名称:

微擎SQL注入

漏洞描述:

微擎/web/source/extension/menu.ctrl.php文件中,对输入参数id未进行严格过滤,导致SQL注入的发生

解决方法:

红色部分为新增的地方

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

<?php

defined(`'IN_IA')` `or` `exit('Access Denied');`

$dos = array`('display', 'del',` `'ajax', 'module',` `'view', 'switch',` `'del_bind', 'edit-bind'`);

$do = in_array(`$do,` `$dos) ? $do : 'display'`;

load()->model(`'frame'`);

if`($do` `==` `'display') {`

$menus = frame_lists();

if`(checksubmit('submit')) {`

foreach`($_GPC['id'] as $k => $v`) {

$v = intval`($v);`

$update = array`();`

$menuid = intval`($v);`

$k`=intval($k);`

$title = trim(`$_GPC['title'][$k`]);

$is_system = intval`($_GPC'is_system');`

if`($menuid` `&&` `$title) {`

$update = array`(`

'title' => $title`,`

'displayorder' => intval`($_GPC'displayorder'),`

);

if`(!$is_system) {`

$update`['url'] = trim($_GPC'url');`

$update`['append_title'] = trim($_GPC'append_title');`

$update`['append_url'] = trim($_GPC'append_url');`

}

pdo_update(`'core_menu',` `$update, array('id' => $menuid`));

}

}

if`(!empty($_GPC['add_parent_name'])) {`

$exist_names = array`();`

foreach`($_GPC['add_parent_name'] as $k1 => $v1`) {

$insert = array`();`

$add_parent_title = trim(`$_GPC['add_parent_title'][$k1`]);

$add_parent_name = trim(`$_GPC['add_parent_name'][$k1`]);

$name_exist = pdo_get(`'core_menu',` `array('name'` `=>` `$add_parent_name, 'pid' => 0));`

if (!`empty($name_exist`)) {

$exist_names`[] = $add_parent_name`;

continue`;`

}

if`($add_parent_title` `&&` `$add_parent_name) {`

$insert = array`(`

'pid' => 0,

'title' => $add_parent_title`,`

'name' => $add_parent_name`,`

'append_title' => trim(`$_GPC['add_parent_append_title'][$k1`]),

'displayorder' => intval`($_GPC'add_parent_displayorder'),`

'is_system' => 0

);

pdo_insert(`'core_menu',` `$insert);`

}

}

}

if`(!empty($_GPC['add_pid'])) {`

foreach`($_GPC['add_pid'] as $k1 => $v1`) {

$insert = array`();`

$v1 = intval`($v1);`

$add_title = trim(`$_GPC['add_title'][$k1`]);

$add_name = trim(`$_GPC['add_name'][$k1`]);

if`($v1` `&&` `$add_title` `&&` `$add_name) {`

$insert = array`(`

'pid' => $v1`,`

'title' => $add_title`,`

'name' => $add_name`,`

'displayorder' => intval`($_GPC'add_displayorder'),`

'is_system' => 0

);

pdo_insert(`'core_menu',` `$insert);`

}

}

}

if`(!empty($_GPC['add_child_pid'])) {`

foreach`($_GPC['add_child_pid'] as $k2 => $v2`) {

$insert = array`();`

$v2 = intval`($v2);`

$add_child_title = trim(`$_GPC['add_child_title'][$k2`]);

$add_child_name = trim(`$_GPC['add_child_name'][$k2`]);

$add_child_url = trim(`$_GPC['add_child_url'][$k2`]);

if`($v2` `&&` `$add_child_title` `&&` `$add_child_name` `&&` `$add_child_url) {`

$insert = array`(`

'pid' => $v2`,`

'title' => $add_child_title`,`

'name' => $add_child_name`,`

'url' => $add_child_url`,`

'type' => 'url'`,`

'displayorder' => intval`($_GPC'add_child_displayorder'),`

'is_system' => 0,

'permission_name' => trim(`$_GPC['add_child_permission'][$k2`]),

);

$add_child_append_title = trim(`$_GPC['add_child_append_title'][$k2`]);

$add_child_append_url = trim(`$_GPC['add_child_append_url'][$k2`]);

if`($add_child_append_title` `&&` `$add_child_append_url) {`

$insert`['append_title'] = $add_child_append_title`;

$insert`['append_url'] = $add_child_append_url`;

}

pdo_insert(`'core_menu',` `$insert);`

}

}

}

if`(!empty($_GPC['add_permission_pid'])) {`

foreach`($_GPC['add_permission_pid'] as $k1 => $v1`) {

$insert = array`();`

$v1 = intval`($v1);`

$add_permission_title = trim(`$_GPC['add_permission_title'][$k1`]);

$add_permission_name = trim(`$_GPC['add_permission_name'][$k1`]);

$add_permission_flag = trim(`$_GPC['add_permission_flag'][$k1`]);

$isexist = pdo_fetchcolumn(`'SELECT id FROM ' . tablename('core_menu') . ' WHERE permission_name = :permission_name',` `array(':permission_name'` `=>` `$add_permission_name));`

if`(!empty($isexist)) {`

continue`;`

}

if`($v1` `&&` `$add_permission_title` `&&` `$add_permission_name` `&&` `$add_permission_flag) {`

$insert = array`(`

'pid' => $v1`,`

'title' => $add_permission_title`,`

'name' => $add_permission_flag`,`

'permission_name' => $add_permission_name`,`

'type' => 'permission'`,`

'displayorder' => intval`($_GPC'add_permission_displayorder'),`

'is_system' => 0,

'is_display' => 0,

);

pdo_insert(`'core_menu',` `$insert);`

}

}

}

cache_build_frame_menu();

if (!`empty($exist_names`)) {

$exist_names = implode(`',',` `$exist_names);`

message(`$exist_names."标识已存在", referer(),` `'info');`

}

message(`'更新菜单成功', referer(),` `'success');`

}

template(`'extension/menu'`);

}

if`($do` `==` `'del') {`

$id = intval`($_GPC['id']);`

$menu`= pdo_fetch('SELECT * FROM '` `. tablename('core_menu') .` `' WHERE id = :id', array(':id' => $id`));

if`($menu['is_system']) {`

message(`'系统分类不能删除', referer(),` `'error');`

}

$ids = pdo_fetchall(`'SELECT id FROM ' . tablename('core_menu') . ' WHERE pid = :id',` `array(':id'` `=>` `$id), 'id'`);

if`(!empty($ids)) {`

$ids_str = implode(`',',` `array_keys($ids));`

pdo_query(`'DELETE FROM ' . tablename('core_menu') . " WHERE pid IN ({$ids_str})"`);

pdo_query(`'DELETE FROM ' . tablename('core_menu') . " WHERE id IN ({$ids_str})"`);

}

pdo_query(`'DELETE FROM ' . tablename('core_menu') . " WHERE id = {$id}"`);

cache_build_frame_menu();

message(`'删除分类成功', referer(),` `'success');`

}

if`($do` `==` `'ajax') {`

$id = intval`($_GPC['id']);`

$value = intval`($_GPC['value']) ? 0 : 1;`

pdo_update(`'core_menu',` `array('is_display'` `=>` `$value), array('id' => $id`));

cache_build_frame_menu();

exit`();`

}

if`($do` `==` `'module') {`

load()->model(`'module'`);

if`(checksubmit('submit')) {`

if`(!empty($_GPC['eid'])) {`

foreach`($_GPC['eid'] as $k => $v`) {

$update = array`();`

$entry = trim(`$_GPC['entry'][$k`]);

if`($entry` `==` `'mine') {`

$update`['url'] = trim($_GPC'url');`

}

$update`['icon'] = empty($_GPC['icon'][$k]) ?` `'fa fa-puzzle-piece'` `:` `$_GPC'icon';`

$update`['displayorder'] = intval($_GPC['displayorder'][$k`]);

pdo_update(`'modules_bindings',` `$update, array('eid' => intval($v`)));

}

}

if`(!empty($_GPC['add_title'])) {`

foreach`($_GPC['add_title'] as $k => $v`) {

$title = trim(`$v`);

$url = trim(`$_GPC['add_url'][$k`]);

$m =  trim(`$_GPC['add_module'][$k`]);

if`(strexists($url, 'http://') || strexists($url,` `'https://')) {`

if`(strexists($url, $_W['siteroot'`])) {

$url = './index.php?' . str_replace`($_W['siteroot'].'web/index.php?', '',` `$url);`

}

}

$icon = empty`($_GPC'add_icon') ? 'fa fa-puzzle-piece' : trim($_GPC'add_icon');`

if`($title` `&&` `$url` `&&` `$m) {`

$data = array`();`

$data`['do'] = ''`;

$data`['module'] = $m`;

$data`['entry'] = 'mine'`;

$data`['title'] = $title`;

$data`['url'] = $url`;

$data`['icon'] = $icon`;

$data`['displayorder'] = intval($_GPC['add_displayorder'][$k`]);

pdo_insert(`'modules_bindings',` `$data);`

} else {

continue`;`

}

}

}

message(`'更新模块菜单成功',` `'refresh', 'success'`);

}

$modules = pdo_fetchall(`'SELECT mid, name, title FROM ' . tablename('modules') . ' WHERE issystem = 0'`);

foreach`($modules` `as` `&$li`) {

$li`['entry'] = module_entries($li['name'], array('mine',` `'menu'));`

}

template(`'extension/module-permission'`);

}

if`($do` `==` `'del_bind') {`

$eid = intval`($_GPC['eid']);`

$permission = intval`($_GPC['permission']);`

pdo_delete(`'modules_bindings',` `array('eid'` `=>` `$eid, 'entry' => 'mine'`));

exit`();`

}

6、

漏洞名称:

微擎最新版SQL注入

漏洞描述:

htmlspecialchars_decode 函数对全局过滤gpc产生的 \’ 进行转义,将可控的参数$html的污染值插入数据库后,产生SQL注入漏洞

位置:/web/source/site/editor.ctrl.php

解决方法:

打开“/web/source/site/editor.ctrl.php”文件,从第127行找到“if (!empty($nav)) {”然后在下面加上“$nav['id'] = intval($nav['id']);”保存文件去验证一下就OK了。

如何联系我:【我的公司】www.xinzhenkj.com(信真科技)【技术咨询】www.laohuzx.com 【万里虎】www.bravetiger.cn (团队博客) 【QQ】3396726884

图书购买京东链接*微信小程序商城开发实战***

分类: PHP, 微信

好文要顶;) 关注我;) 收藏该文;) ; "分享至新浪微博") ; "分享至微信")

谦信君
关注 - 2
粉丝 - 199

+加关注;)

0

0

« 上一篇: WordPress固定链接设置的几种方法(推荐/%post_id%.html)
» 下一篇: 云联云通讯报错:应用与模板id不匹配,解决方法

posted @ 2017-08-07 13:02  谦信君  阅读(8539)  评论(0)  编辑  收藏)

Original url: Access
Created at: 2020-07-29 09:18:00
Category: default
Tags: none

未标明原创文章均为采集,版权归作者所有,转载无需和我联系,请注明原出处,南摩阿彌陀佛,知识,不只知道,要得到

请先后发表评论
  • 最新评论
  • 总共0条评论