The vulnerability lies in the root directory of auction_list.php, row 77th-row 86:
/* Browsing records */
$ Getcookie = get_hisgoods_cookie ();
$ Goodshistory = array ();
If ($ getcookie ){
Arsort ($ getcookie );
$ Getcookie = array_keys ($ getcookie );
$ Gethisgoodsid = implode (",", array_slice ($ getcookie, 0, 4 ));
$ SQL = "select is_set_image, goods_id, goods_name, goods_thumb, goods_price from $ t_goods where goods_id in ($ gethisgoodsid )";
$ Goodshistory = $ dbo-> getRs ($ SQL );
}
$ Gethisgoodsid: this parameter is included in the query without filtering. It is obtained by $ getcookie. Follow the variable $ getcookie. That is, the get_hisgoods_cookie () function.
In foundation/fcookie. php:
Function get_hisgoods_cookie (){
Return get_cookie ("hisgoods ");
}
The same is for foundation/fcookie. php:
Function get_cookie ($ k ){
Lobal $ session_prefix;
If (isset ($ _ COOKIE [$ session_prefix. $ k]) return $ _ COOKIE [$ session_prefix. $ k];
Return null;
}
The variable is obtained in the COOKIE. This vulnerability is generated.
Test method:
First, you can view a product at will, and then access http: // localhost/auction_list.php. when using the cookies browser, you will find a project similar to "iweb_hisgoods [22 (This number is the id of the item you visited)] = 1282282762. first, add a single quotation mark after "22" to make it violent and wrong to get the data table prefix. then change "22" to "22) and 1% 3D2 union select 1, admin_password, admin_name, from ishop_admin_user --" (ishop _ is the prefix you just obtained, "--" must be followed by a space ). visit http: // localhost/auction_list.php and check the latest viewing in the lower right corner to obtain the Administrator account and password.
Solution:
Filter $ gethisgoodsid.