### 简要描述: 没有啥条件限制,如果说要gpc 、 全局变量条件限制的都不是好漏洞。 ### 详细说明: 众测来打洞,然后白盒代码就读起来了。。。(0day) http://ce.wooyun.org/content/7045 ``` function onaddcomment() { if (isset($this->post['content'])) { $content = htmlspecialchars($this->post['content']); $answerid = intval($this->post['answerid']); $replyauthorid = intval($this->post['replyauthor']); $answer = $_ENV['answer']->get($answerid); $_ENV['answer_comment']->add($answerid, $content, $this->user['uid'], $this->user['username']); ``` 增加评论 其中看 $_ENV['answer_comment']->add($answerid, $content, $this->user['uid'], $this->user['username']); $this->user['username'] 为我们可控,注册test12345a\此类畸形用户名,见上篇分析 跟踪add方法 ``` function add($answerid, $conmment,$authorid,$author) { //echo 'INSERT INTO `' . DB_TABLEPRE . "answer_comment`(`aid`,`authorid`,`author`,`content`,`time`) values ($answerid,$authorid,'$author','$conmment'," . $this->base->time . ")";exit(); $this->db->query('INSERT INTO `' . DB_TABLEPRE ....
### 简要描述: 没有啥条件限制,如果说要gpc 、 全局变量条件限制的都不是好漏洞。 ### 详细说明: 众测来打洞,然后白盒代码就读起来了。。。(0day) http://ce.wooyun.org/content/7045 ``` function onaddcomment() { if (isset($this->post['content'])) { $content = htmlspecialchars($this->post['content']); $answerid = intval($this->post['answerid']); $replyauthorid = intval($this->post['replyauthor']); $answer = $_ENV['answer']->get($answerid); $_ENV['answer_comment']->add($answerid, $content, $this->user['uid'], $this->user['username']); ``` 增加评论 其中看 $_ENV['answer_comment']->add($answerid, $content, $this->user['uid'], $this->user['username']); $this->user['username'] 为我们可控,注册test12345a\此类畸形用户名,见上篇分析 跟踪add方法 ``` function add($answerid, $conmment,$authorid,$author) { //echo 'INSERT INTO `' . DB_TABLEPRE . "answer_comment`(`aid`,`authorid`,`author`,`content`,`time`) values ($answerid,$authorid,'$author','$conmment'," . $this->base->time . ")";exit(); $this->db->query('INSERT INTO `' . DB_TABLEPRE . "answer_comment`(`aid`,`authorid`,`author`,`content`,`time`) values ($answerid,$authorid,'$author','$conmment'," . $this->base->time . ")"); $this->db->query("UPDATE " . DB_TABLEPRE . "answer SET comments=comments+1 WHERE `id`=$answerid"); } ``` 另外content也控 我们content让它为,user(),1)# 即可 [<img src="https://images.seebug.org/upload/201502/10102311f9de49e4bf4b04da58576570e81f4445.png" alt="zzzzzz.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10102311f9de49e4bf4b04da58576570e81f4445.png) 然后评论就是root@localhost了 详情可参考众测 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201502/10102311f9de49e4bf4b04da58576570e81f4445.png" alt="zzzzzz.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10102311f9de49e4bf4b04da58576570e81f4445.png) 然后评论就是root@localhost了
