ProjectSend R561 SQL INJ Analysis
注入出现在./client-edit.php中
1 ...... 2 if (isset($_GET['id'])) { 3 $client_id = mysql_real_escape_string($_GET['id']); 4 /** 5 * Check if the id corresponds to a real client. 6 * Return 1 if true, 2 if false. 7 **/ 8 $page_status = (client_exists_id($client_id)) ? 1 : 2; 9 } 10 else { 11 /** 12 * Return 0 if the id is not set. 13 */ 14 $page_status = 0; 15 } 16 17 /** 18 * Get the clients information from the database to use on the form. 19 */ 20 if ($page_status === 1) { 21 $editing = $database->query("SELECT * FROM tbl_users WHERE id=$client_id"); 22 ......
$client_id通过GET方式获取值,用Mysql_real_escape_string()处理特殊字符,但是这里$_GET['id']是数值型的,不考虑单引号的问题,可以直接注入。