fix: 执行sql 语句时，如果数据本身包含换行符和html标签的情况

增加base64编码，同时前端也html编码一次避免xss 只修改了php shell 类型的，实际测试php + mysql 通过

fix: 执行sql 语句时，如果数据本身包含换行符和html标签的情况
增加base64编码，同时前端也html编码一次避免xss 只修改了php shell 类型的，实际测试php + mysql 通过
095ab9af · peablog · 596e261a · 095ab9af · 095ab9af · 095ab9af
Commit 095ab9af authored Mar 18, 2016 by peablog
5 changed files
--- a/source/core/php/template/database/informix.jsx
+++ b/source/core/php/template/database/informix.jsx
@@ -38,7 +38,7 @@ module.exports = {
  // 执行SQL语句
  query: {
    _:
-      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=(strlen($usr)>0)?@ifx_connect($hst,$usr,$pwd):@ifx_connect($hst);$q=@ifx_query($sql,$T);$i=0;while($rs=@ifx_fetch_row($q)){if($i==0){for(reset($rs);$f=key($rs);next($rs)){echo($f."\t|\t");}echo("\r\n");}for(reset($rs);$f=key($rs);next($rs)){echo(trim($rs[$f]));echo("\t|\t");}echo("\r\n");$i++;}@ifx_close($T);`,
+      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=(strlen($usr)>0)?@ifx_connect($hst,$usr,$pwd):@ifx_connect($hst);$q=@ifx_query($sql,$T);$i=0;while($rs=@ifx_fetch_row($q)){if($i==0){for(reset($rs);$f=key($rs);next($rs)){echo($f."\t|\t");}echo("\r\n");}for(reset($rs);$f=key($rs);next($rs)){echo(base64_encode(trim($rs[$f])));echo("\t|\t");}echo("\r\n");$i++;}@ifx_close($T);`,
    [arg1]: '#{host}',
    [arg2]: '#{user}',
    [arg3]: '#{passwd}',

--- a/source/core/php/template/database/mssql.jsx
+++ b/source/core/php/template/database/mssql.jsx
@@ -39,7 +39,7 @@ module.exports = {
  // 执行SQL语句
  query: {
    _:
-      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=@mssql_connect($hst,$usr,$pwd);@mssql_select_db($dbn,$db);$q=@mssql_query($sql,$T);$i=0;while($rs=@mssql_fetch_field($q)){echo($rs->name."\t|\t");$i++;}echo("\r\n");while($rs=@mssql_fetch_row($q)){for($c=0;$c<$i;$c++){echo(trim($rs[$c]));echo("\t|\t");}echo("\r\n");}@mssql_free_result($q);@mssql_close($T);`,
+      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=@mssql_connect($hst,$usr,$pwd);@mssql_select_db($dbn,$db);$q=@mssql_query($sql,$T);$i=0;while($rs=@mssql_fetch_field($q)){echo($rs->name."\t|\t");$i++;}echo("\r\n");while($rs=@mssql_fetch_row($q)){for($c=0;$c<$i;$c++){echo(base64_encode(trim($rs[$c])));echo("\t|\t");}echo("\r\n");}@mssql_free_result($q);@mssql_close($T);`,
    [arg1]: '#{host}',
    [arg2]: '#{user}',
    [arg3]: '#{passwd}',

--- a/source/core/php/template/database/mysql.jsx
+++ b/source/core/php/template/database/mysql.jsx
@@ -39,7 +39,7 @@ module.exports = {
  // 执行SQL语句
  query: {
    _:
-      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=@mysqli_connect($hst,$usr,$pwd);@mysqli_query($T,"SET NAMES ${arg6}");@mysqli_select_db($T,$dbn);$q=@mysqli_query($T,$sql);$i=0;while($col=@mysqli_fetch_field($q)){echo($col->name."\t|\t");$i++;}echo("\r\n");while($rs=@mysqli_fetch_row($q)){for($c=0;$c<$i;$c++){echo(trim($rs[$c]));echo("\t|\t");}echo("\r\n");}@mysqli_close($T);`,
+      `$m=get_magic_quotes_gpc();$hst=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$T=@mysqli_connect($hst,$usr,$pwd);@mysqli_query($T,"SET NAMES ${arg6}");@mysqli_select_db($T,$dbn);$q=@mysqli_query($T,$sql);$i=0;while($col=@mysqli_fetch_field($q)){echo($col->name."\t|\t");$i++;}echo("\r\n");while($rs=@mysqli_fetch_row($q)){for($c=0;$c<$i;$c++){echo(base64_encode(trim($rs[$c])));echo("\t|\t");}echo("\r\n");}@mysqli_close($T);`,
    [arg1]: '#{host}',
    [arg2]: '#{user}',
    [arg3]: '#{passwd}',

--- a/source/core/php/template/database/oracle.jsx
+++ b/source/core/php/template/database/oracle.jsx
@@ -38,7 +38,7 @@ module.exports = {
  // 执行SQL语句
  query: {
    _:
-      `$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$H=@ora_plogon("{$usr}@{$sid}","{$pwd}");if(!$H){echo("ERROR:// Login Failed!");}else{$T=@ora_open($H);@ora_commitoff($H);$q=@ora_parse($T,"{$sql}");$R=ora_exec($T);if($R){$n=ora_numcols($T);for($i=0;$i<$n;$i++){echo(Ora_ColumnName($T,$i)."\t|\t");}echo("\r\n");while(ora_fetch($T)){for($i=0;$i<$n;$i++){echo(trim(ora_getcolumn($T,$i)));echo("\t|\t");}echo("\r\n");}}else{echo("ErrMsg\t|\t\r\n");}@ora_close($T);};`,
+      `$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST["${arg1}"]):$_POST["${arg1}"];$usr=$m?stripslashes($_POST["${arg2}"]):$_POST["${arg2}"];$pwd=$m?stripslashes($_POST["${arg3}"]):$_POST["${arg3}"];$dbn=$m?stripslashes($_POST["${arg4}"]):$_POST["${arg4}"];$sql=base64_decode($_POST["${arg5}"]);$H=@ora_plogon("{$usr}@{$sid}","{$pwd}");if(!$H){echo("ERROR:// Login Failed!");}else{$T=@ora_open($H);@ora_commitoff($H);$q=@ora_parse($T,"{$sql}");$R=ora_exec($T);if($R){$n=ora_numcols($T);for($i=0;$i<$n;$i++){echo(Ora_ColumnName($T,$i)."\t|\t");}echo("\r\n");while(ora_fetch($T)){for($i=0;$i<$n;$i++){echo(base64_encode(trim(ora_getcolumn($T,$i))));echo("\t|\t");}echo("\r\n");}}else{echo("ErrMsg\t|\t\r\n");}@ora_close($T);};`,
    [arg1]: '#{host}',
    [arg2]: '#{user}',
    [arg3]: '#{passwd}',

--- a/source/modules/database/php/index.jsx
+++ b/source/modules/database/php/index.jsx
@@ -427,6 +427,9 @@ class PHP {
    let data_arr = [];
    arr.map((_) => {
      let _data = _.split('\t|\t');
+      for (let i = 0; i < _data.length; i ++) {
+      	_data[i] = antSword.noxss(new Buffer(_data[i], "base64").toString());
+      }
      data_arr.push(_data);
    });
    data_arr.pop();