### 简要描述: rt ### 详细说明: control/doc.php:docreate方法 ``` …… 流程条件省略 …… }else{//点击发布词条 if($this->setting['checkcode']!=3 && $this->setting['doc_verification_create_code'] && strtolower($this->post['code'])!=$_ENV['user']->get_code()){ $this->message($this->view->lang['codeError'],'BACK',0); } if(@trim($this->post['content'])==''||@trim($this->post['title'])==''){ $this->message($this->view->lang['contentIsNull'],'BACK',0); } // # 调用doc类中的replace_danger_word方法但对我们post[‘title’]没啥影响。 // # 接着string方法substring 截取81位字符刚好可以把我们的addslashes添加的\给截取掉。 // # 我们只需要找到一处可控即可。接着往下看有没有调用doc的。 $doc['title']=string::substring(string::stripscript($_ENV['doc']->replace_danger_word(trim($this->post['title']))),0,80); $_doc=$this->db->fetch_by_field('doc','title',$doc['title']); if((bool)$_doc && !empty($_doc['content'])){ $this->message($this->view->lang['createDocTip5'],'BACK',0); } // # category 词条分类 if(!(bool)$_ENV['category']->vilid_category($this->post['category'])){...
### 简要描述: rt ### 详细说明: control/doc.php:docreate方法 ``` …… 流程条件省略 …… }else{//点击发布词条 if($this->setting['checkcode']!=3 && $this->setting['doc_verification_create_code'] && strtolower($this->post['code'])!=$_ENV['user']->get_code()){ $this->message($this->view->lang['codeError'],'BACK',0); } if(@trim($this->post['content'])==''||@trim($this->post['title'])==''){ $this->message($this->view->lang['contentIsNull'],'BACK',0); } // # 调用doc类中的replace_danger_word方法但对我们post[‘title’]没啥影响。 // # 接着string方法substring 截取81位字符刚好可以把我们的addslashes添加的\给截取掉。 // # 我们只需要找到一处可控即可。接着往下看有没有调用doc的。 $doc['title']=string::substring(string::stripscript($_ENV['doc']->replace_danger_word(trim($this->post['title']))),0,80); $_doc=$this->db->fetch_by_field('doc','title',$doc['title']); if((bool)$_doc && !empty($_doc['content'])){ $this->message($this->view->lang['createDocTip5'],'BACK',0); } // # category 词条分类 if(!(bool)$_ENV['category']->vilid_category($this->post['category'])){ $this->message($this->view->lang['categoryNotExist'],'BACK',0); } if((bool)$this->post['summary']){ $doc['summary']=trim(strip_tags($_ENV['doc']->replace_danger_word($this->post['summary']))); } $doc['did']=intval($this->post['did']); $doc['letter']=string::getfirstletter($this->post['title']); $doc['category']=$this->post['category']; …………………… $doc['summary'] = (bool)$doc['summary']?$doc['summary']:$doc['content']; // #同上 有一处可控字符 // #继续向下看。 $doc['summary'] = trim(string::convercharacter(string::substring(strip_tags($doc['summary']),0,100)));//去除换行符截断字符串 $doc['summary'] = htmlspecialchars(string::stripscript(strip_tags($doc['summary'])));//去除特殊字符 去除javascript代码 …………………… if($doc['visible'] == 1){ $_ENV['user']->add_credit($this->user['uid'],'doc-create',$this->setting['credit_create'],$this->setting['coin_create']); } // #调用 doc类add_doc方法。 // doc数组被传进去了我们进去看看。 $did=$_ENV['doc']->add_doc($doc); ``` ``` Model/doc.class.php add_doc方法 function add_doc($doc) { $editions = ($this->base->setting['base_createdoc']==1)?1:0; $doc['title'] = trim($doc['title']); if ($doc['did']){ $this->db->query("REPLACE INTO ".DB_TABLEPRE."doc (did,letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions) VALUES (".$doc['did'].",'".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."', '".$this->base->user['username']."','".$this->base->user['uid']."', ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)"); $did = $doc['did']; $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE did=".$did." AND uid=".$this->base->user['uid']); }else{ // 我们的可控点都在这了截取字符\破坏后面的单引号,这样我们就能注射了。 //构造exp $this->db->query("INSERT INTO ".DB_TABLEPRE."doc (letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions) VALUES ('".$doc['letter']."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."', '".$this->base->user['username']."','".$this->base->user['uid']."', ".$doc['time'].",".$doc['time'].",'".$this->base->user['username']."','".$this->base->user['uid']."','".$doc['visible']."',$editions)"); $did = $this->db->insert_id(); $this->add_doc_category($did, $doc['category']); $this->db->query("DELETE FROM ".DB_TABLEPRE."autosave WHERE did=".$did." AND uid=".$this->base->user['uid']); } if($this->base->setting['base_createdoc']==1){ $this->db->query("INSERT INTO ".DB_TABLEPRE."edition (did,author,authorid,time,ip,title,tag,summary,content,words,images ) VALUES ($did,'".$this->base->user['username']."','".$this->base->user['uid']."', '".$doc['time']."','".$this->base->ip."','".$doc['title']."','".$doc['tags']."','".$doc['summary']."','".$doc['content']."','".$doc['words']."','".$doc['images']."')"); } return $did; } ``` ``` SQL日志 INSERT INTO wiki_doc (letter,title,tag ,summary ,content,author,authorid,time,lastedit,lasteditor,lasteditorid,visible,editions) VALUES ('t','testp','','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaddwwwwwwaaaadddddwww\','TEST', 'cccasc','2', 1414842300,1414842300,'cccasc','2','1',0) ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201411/0119390883717ebfcdebe932833adbf99ed9c7c9.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0119390883717ebfcdebe932833adbf99ed9c7c9.png) 由于语句加了换行,在mysql某些版本导致/**注释失败。 测试版本 :5.1
