case 'edit_settle':
$type=intval($_POST['stype']);
$account=daddslashes(htmlspecialchars(strip_tags(trim($_POST['account']))));
$username=daddslashes(htmlspecialchars(strip_tags(trim($_POST['username']))));
if($account==null || $username==null){
exit('{"code":-1,"msg":"请确保每项都不为空"}');
}
if($type==1 && strlen($account)!=11 && strpos($account,'@')==false){
exit('{"code":-1,"msg":"请填写正确的支付宝账号!"}');
}
if($type==2 && strlen($account)<3){
exit('{"code":-1,"msg":"请填写正确的微信"}');
}
if($type==3 && (strlen($account)<5 || strlen($account)>10 || !is_numeric($account))){
exit('{"code":-1,"msg":"请填写正确的QQ号码"}');
}
if($userrow['type']!=2 && !empty($userrow['account']) && !empty($userrow['username']) && ($userrow['account']!=$account || $userrow['username']!=$username) && $_SESSION['verify_ok']!==$uid){
if($conf['verifytype']==1 && (empty($userrow['phone']) || strlen($userrow['phone'])!=11)){
exit('{"code":-1,"msg":"请先绑定手机号码!"}');
}elseif($conf['verifytype']==0 && (empty($userrow['email']) || strpos($userrow['email'],'@')===false)){
exit('{"code":-1,"msg":"请先绑定邮箱!"}');
}
exit('{"code":2,"msg":"need verify"}');
}
$sqs=$DB->exec("update `pre_user` set `settle_id` ='{$type}',`account` ='{$account}',`username` ='{$username}' where `uid`='$uid'");
if($sqs!==false){
exit('{"code":1,"msg":"succ"}');
}else{
exit('{"code":-1,"msg":"保存失败!'.$DB->error().'"}');
}
break;
这里获取的时候有采用安全转义而htmlspecialchars在默认的情况下只会编码双引号
参考:https://www.w3school.com.cn/php/func_string_htmlspecialchars.asp
所以这里我们可以将我们的恶意内容带入数据库中,只需要找出输出利用点即可
if(isset($_GET['act']) && $_GET['act']=='do'){
if($_POST['submit']=='申请提现'){
$money=daddslashes(strip_tags($_POST['money']));
if(!is_numeric($money) || !preg_match('/^[0-9.]+$/', $money))exit("<script language='javascript'>alert('提现金额输入不规范');history.go(-1);</script>");
if($enable_money<$conf['settle_money']){
exit("<script language='javascript'>alert('满{$conf['settle_money']}元才可以提现!');history.go(-1);</script>");
}
if($money<$conf['settle_money']){
exit("<script language='javascript'>alert('最低提现金额为{$conf['settle_money']}元');history.go(-1);</script>");
}
if($userrow['settle']==0){
exit("<script language='javascript'>alert('您的商户出现异常,无法提现');history.go(-1);</script>");
}
if($conf['settle_rate']>0){
$fee=round($money*$conf['settle_rate']/100,2);
if($fee<$conf['settle_fee_min'])$fee=$conf['settle_fee_min'];
if($fee>$conf['settle_fee_max'])$fee=$conf['settle_fee_max'];
$realmoney=$money-$fee;
}else{
$realmoney=$money;
}
if($DB->exec("INSERT INTO `pre_settle` (`uid`, `type`, `username`, `account`, `money`, `realmoney`, `addtime`, `status`) VALUES ('{$uid}', '{$userrow['settle_id']}', '{$userrow['username']}', '{$userrow['account']}', '{$money}', '{$realmoney}', '{$date}', '0')")){
changeUserMoney($uid, $money, false, '手动提现');
}
exit("<script language='javascript'>alert('申请提现成功!');window.location.href='./settle.php';</script>");
}
}
申请提现时从数据库中获取到我们的account以及username并未做任何安全转义之类的操作所以直接导致二次注入,因为数据库有长度限制所以需要account与username配合解决长度限制实现完美insert注入