### 简要描述: 见drops中@小飞发了一篇文章:http://drops.wooyun.org/tips/4483 我一直认为没有实例的文章不是好文章,于是来帮他加个实例,由PHP弱类型造成的SQL注入,非常典型。 为了不拉低大号的平均rank,小号交起~~嘿 ### 详细说明: /control/list.php 109行 ``` function dofocus(){ $doctype = $this->get[2]; switch($doctype){ case 2: $type = 'hot'; $navtitle = $this->view->lang['hotDoc']; break; case 3: $type = 'champion'; $navtitle = $this->view->lang['wonderDoc']; break; default: $doctype = 1; $navtitle = $this->view->lang['focusDoc']; $type = 'focus'; } $url = 'list-focus-'.$doctype; $this->get[3] = empty($this->get[3]) ? NULL : $this->get[3]; $page = max(1, intval($this->get[3])); $start_limit = ($page - 1) * $this->setting['list_focus']; $total=100; $num=10; $count=$this->db->fetch_total('focus',"type=$doctype"); $count=($count<$total)?$count:$total; $list=$_ENV['doc']->get_focus_list($start_limit,$this->setting['list_focus'],$doctype); $departstr=$this->multi($count, $this->setting['list_focus'], $page,$url); $this->view->assign('navtitle',$navtitle);...
### 简要描述: 见drops中@小飞发了一篇文章:http://drops.wooyun.org/tips/4483 我一直认为没有实例的文章不是好文章,于是来帮他加个实例,由PHP弱类型造成的SQL注入,非常典型。 为了不拉低大号的平均rank,小号交起~~嘿 ### 详细说明: /control/list.php 109行 ``` function dofocus(){ $doctype = $this->get[2]; switch($doctype){ case 2: $type = 'hot'; $navtitle = $this->view->lang['hotDoc']; break; case 3: $type = 'champion'; $navtitle = $this->view->lang['wonderDoc']; break; default: $doctype = 1; $navtitle = $this->view->lang['focusDoc']; $type = 'focus'; } $url = 'list-focus-'.$doctype; $this->get[3] = empty($this->get[3]) ? NULL : $this->get[3]; $page = max(1, intval($this->get[3])); $start_limit = ($page - 1) * $this->setting['list_focus']; $total=100; $num=10; $count=$this->db->fetch_total('focus',"type=$doctype"); $count=($count<$total)?$count:$total; $list=$_ENV['doc']->get_focus_list($start_limit,$this->setting['list_focus'],$doctype); $departstr=$this->multi($count, $this->setting['list_focus'], $page,$url); $this->view->assign('navtitle',$navtitle); $this->view->assign("departstr",$departstr); $this->view->assign('type',$type); $this->view->assign('list',$list); //$this->view->display('list'); $_ENV['block']->view('list'); } ``` 从GET里获得doctype,$doctype = $this->get[2];,进入一个switch语句。 我们看到后面这句话:$count=$this->db->fetch_total('focus',"type=$doctype");,是直接将$doctype带入SQL语句了的,只要这个switch语句不影响$doctype的值,后面就能注入了。 我们看到case 2和case 3的结果都不会改变$doctype的值,但如果进入default是会将$doctype改为1的。 不是我们传入非2或3的值都会进入default么?这样怎么注入? 这里就犯了一个“弱类型”的错误,当一个字符串和一个数字比较的时候,是会先将字符串intval后再与数字比较。 所以我传入doctype是2xxxx的时候,实际上是会进入case 2而不是default。出了switch语句后,doctype的值还是2xxxx,而不是2. 所以之后的$count=$this->db->fetch_total('focus',"type=$doctype");,$doctype带入SQL语句造成注入。 不过鸡肋的是,hdwiki对GET变量有拦截,我绕不过。所以……仅供学习 ### 漏洞证明: 本地测试,无需登录: 1=2无结果: [<img src="https://images.seebug.org/upload/201501/0412000502bc8da8917e3112ada28d32b9566901.jpg" alt="006.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/0412000502bc8da8917e3112ada28d32b9566901.jpg) 1=1有结果: [<img src="https://images.seebug.org/upload/201501/04120059d5d66f9a097bca7086d0fcc1db36b7c2.jpg" alt="007.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/04120059d5d66f9a097bca7086d0fcc1db36b7c2.jpg) 实际执行的SQL语句是: [<img src="https://images.seebug.org/upload/201501/041207121db3235fbea7021b3d1419cf1b4e3734.jpg" alt="0014.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/041207121db3235fbea7021b3d1419cf1b4e3734.jpg) hdwiki对GET有waf限制,所以只能在当前表注入。
