修复一些SQL注入漏洞

burpheart · Aug 12, 2020 · 1639dab · Rhilip · Oct 20, 2020 · gudumibug
1 parent f781c10
commit 1639dab
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 8 deletions.
diff --git a/forummanage.php b/forummanage.php
@@ -45,7 +45,7 @@
 	else{
 		sql_query("DELETE FROM forummods WHERE forumid=".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
 	}
-	sql_query("UPDATE forums SET sort = '" . $_POST['sort'] . "', name = " . sqlesc($_POST['name']). ", description = " . sqlesc($_POST['desc']). ", forid = ".sqlesc(($_POST['overforums'])).", minclassread = '" . $_POST['readclass'] . "', minclasswrite = '" . $_POST['writeclass'] . "', minclasscreate = '" . $_POST['createclass'] . "' where id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
+	sql_query("UPDATE forums SET sort = '" . sqlesc($_POST['sort']) . "', name = " . sqlesc($_POST['name']). ", description = " . sqlesc($_POST['desc']). ", forid = ".sqlesc(($_POST['overforums'])).", minclassread = '" . sqlesc($_POST['readclass']) . "', minclasswrite = '" . sqlesc($_POST['writeclass']) . "', minclasscreate = '" . sqlesc($_POST['createclass']) . "' where id = ".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
 	$Cache->delete_value('forums_list');
 	$Cache->delete_value('forum_moderator_array');
 	header("Location: forummanage.php");
@@ -60,7 +60,7 @@
 		header("Location: " . get_protocol_prefix() . "$BASEURL/forummanage.php");
 		die();
 	}
-	sql_query("INSERT INTO forums (sort, name,  description, minclassread,  minclasswrite, minclasscreate, forid) VALUES(" . $_POST['sort'] . ", " . sqlesc($_POST['name']). ", " . sqlesc($_POST['desc']). ", " . $_POST['readclass'] . ", " . $_POST['writeclass'] . ", " . $_POST['createclass'] . ", ".sqlesc(($_POST['overforums'])).")") or sqlerr(__FILE__, __LINE__);
+	sql_query("INSERT INTO forums (sort, name,  description, minclassread,  minclasswrite, minclasscreate, forid) VALUES(" . sqlesc($_POST['sort']) . ", " . sqlesc($_POST['name']). ", " . sqlesc($_POST['desc']). ", " . sqlesc($_POST['readclass']) . ", " . sqlesc($_POST['writeclass']) . ", " . sqlesc($_POST['createclass']) . ", ".sqlesc(($_POST['overforums'])).")") or sqlerr(__FILE__, __LINE__);
 	$Cache->delete_value('forums_list');
 	if ($_POST["moderator"]){
 	$id = mysql_insert_id();

diff --git a/include/functions.php b/include/functions.php
@@ -448,7 +448,7 @@ function int_check($value,$stdhead = false, $stdfood = true, $die = true, $log =
 	else
 	{
 		if (!is_valid_id($value)) {
-			$msg = "Invalid ID Attempt: Username: ".$CURUSER["username"]." - UserID: ".$CURUSER["id"]." - UserIP : ".getip();
+			$msg = "Invalid ID Attempt: Username: ".$CURUSER["username"]." - UserID: ".$CURUSER["id"]." - UserIP : ".getip()." - IDValue : ".htmlspecialchars($value);//记录详细操作 便于判断用户是否真的违规操作 给予封禁
 			if ($log)
 				write_log($msg,'mod');
 
@@ -471,7 +471,7 @@ function int_check($value,$stdhead = false, $stdfood = true, $die = true, $log =
 
 function is_valid_id($id)
 {
-	return is_numeric($id) && ($id > 0) && (floor($id) == $id);
+	return is_numeric($id) && ($id >= 0) && (floor($id) == $id);
 }
 
 

diff --git a/modrules.php b/modrules.php
@@ -39,6 +39,7 @@
 }
 elseif ($_GET["act"] == "edit"){
 	$id = $_GET["id"];
+	int_check($id);
 	$res = @mysql_fetch_array(@sql_query("select * from rules where id='$id'"));
 	stdhead("Edit rules");
 	//print("<td valign=top style=\"padding: 10px;\" colspan=2 align=center>");

diff --git a/staffbox.php b/staffbox.php
@@ -129,7 +129,7 @@
         $receiver = 0 + $_GET["receiver"];
 
         int_check($receiver,true);
-
+        int_check($answeringto,true); //防止sql注入
         $res = sql_query("SELECT * FROM users WHERE id=$receiver") or die(mysql_error());
         $user = mysql_fetch_assoc($res);
 
@@ -219,7 +219,7 @@
     permissiondenied();
 
 $id = 0 + $_GET["id"];
-
+int_check($id,true);
 sql_query ("UPDATE staffmessages SET answered=1, answeredby = $CURUSER[id] WHERE id = $id") or sqlerr();
 $Cache->delete_value('staff_new_message_count');
 header("Refresh: 0; url=staffbox.php?action=viewpm&pmid=$id");
@@ -232,7 +232,7 @@
 if ($action == "takecontactanswered") {
 	if (get_user_class() < $staffmem_class)
 		permissiondenied();
-
+int_check($_POST[setanswered],true);
 if ($_POST['setdealt']){
 	$res = sql_query ("SELECT id FROM staffmessages WHERE answered=0 AND id IN (" . implode(", ", $_POST[setanswered]) . ")");
 	while ($arr = mysql_fetch_assoc($res))

diff --git a/takestaffmess.php b/takestaffmess.php
@@ -16,7 +16,7 @@
 $updateset = $_POST['clases'];
 if (is_array($updateset)) {
 	foreach ($updateset as $class) {
-		if (!is_valid_id($class) && $class != 0)
+		if (!is_valid_id($class))  //这种判断可以被直接绕过  当有一个对比参数是整数的时候，会把另外一个参数强制转换为整数。 如果参数开头不是整数就会返回0 把是否等于零放入is_valid_id函数内判断
 			stderr("Error","Invalid Class");
 	}
 }else{