|phpems某处设计失误导致3枚SQL注入漏洞 - VULHUB开源网络安全威胁库

phpems某处设计失误导致3枚SQL注入漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： phpems某处设计失误导致3枚SQL注入漏洞 ### 详细说明： 4. PHPems再来3枚SQL注入漏洞吧存在漏洞代码位置在/app/exam/app.php的lesson()函数中 public function lesson() { $action = $this->ev->url(3); $page = $this->ev->get('page'); switch($action) { case 'ajax': switch($this->ev->url(4)) { case 'questions': $number = $this->ev->get('number'); if(!$number)$number = 1; $questid = $this->ev->getCookie('questype'); $knowsid = $this->ev->getCookie('knowsid'); $questions = $this->question->getRandQuestionListByKnowid($knowsid,$questid);//存在注入漏洞 $allnumber = $this->exam->getQuestionNumberByQuestypeAndKnowsid($questid,$knowsid);//存在注入漏洞 OK!phpems机制我就不想说了，$knowsid = $this->ev->getCookie('knowsid');的意思就是说knowsid可以人为在cookie中指定接下来进入函数getRandQuestionListByKnowid($knowsid,$questid)【1】 function getRandQuestionListByKnowid($knowid,$typeid) { $data = array('DISTINCT questions.questionid',array('questions','quest2knows'),array("quest2knows.qkknowsid IN ({$knowid})","quest2knows.qktype = 0","quest2knows.qkquestionid = questions.questionid","questions.questiontype = '{$typeid}'","questions.questionstatus = 1"),false,false,false); $sql = makeSelect($data); return $sql; } 可以看到对$knowid没有进行任何过滤操作，单引号没加 Makeselect函数只是拼接参数用，所以就构成了SQL注入漏洞下面的那个函数getQuestionNumberByQuestypeAndKnowsid（）【2】存在注入的原因是一模一样的， public function getQuestionNumberByQuestypeAndKnowsid($questype,$knowsid) { if(!$knowsid)$knowsid = '0'; $data = array("count(*) AS number",array('questions','quest2knows'),array("questions.questiontype = '{$questype}'","questions.questionparent = 0","questions.questionstatus = 1","questions.questionid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 0"),false,false,false); $sql = $this->sql->makeSelect($data); $r = $this->db->fetch($sql); $data = array("sum(qrnumber) AS number",array('questionrows','quest2knows'),array("questionrows.qrtype = '{$questype}'","questionrows.qrstatus = 1","questionrows.qrid = quest2knows.qkquestionid","quest2knows.qkknowsid IN ({$knowsid})","quest2knows.qktype = 1"),false,false,false); $sql = $this->sql->makeSelect($data); $m = $this->db->fetch($sql); return $r['number']+$m['number']; } 而且里面还有两处没过滤的地方都能引发注入漏洞接下来的函数getRandQuestionRowsListByKnowid（）存在相同的问题【3】我验证第一处，后面都是一样的首先注册用户登录之，然后在cookie中加入exam_knowsid变量，值设置成(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) [<img src="https://images.seebug.org/upload/201503/1218363580d45f3d0621691cd642dd72375b4b99.png" alt="qqq.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1218363580d45f3d0621691cd642dd72375b4b99.png) 然后访问localhost/ems/index.php?exam-app-lesson-ajax-questions [<img src="https://images.seebug.org/upload/201503/121837039c6408693972bd82ff8f33ac551580cf.png" alt="www.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/121837039c6408693972bd82ff8f33ac551580cf.png) OK，验证通过。 ### 漏洞证明：我验证第一处，后面都是一样的首先注册用户登录之，然后在cookie中加入exam_knowsid变量，值设置成(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) [<img src="https://images.seebug.org/upload/201503/1218363580d45f3d0621691cd642dd72375b4b99.png" alt="qqq.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1218363580d45f3d0621691cd642dd72375b4b99.png) 然后访问localhost/ems/index.php?exam-app-lesson-ajax-questions [<img src="https://images.seebug.org/upload/201503/121837039c6408693972bd82ff8f33ac551580cf.png" alt="www.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/121837039c6408693972bd82ff8f33ac551580cf.png) OK，验证通过。

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™