### 简要描述: Insert 无视GPC 装supesite会有ucenter 如果在一个裤的话 可以尝试把uckey注入出来 然后…… ### 详细说明: 来看看全局文件 ``` if(!(get_magic_quotes_gpc())) { $_GET = saddslashes($_GET); $_POST = saddslashes($_POST); $_COOKIE = saddslashes($_COOKIE); } ``` 判断gpc 是否开启 如果没有开启 就对get post cookie 转义 这里没有对files转义。 ___ 在batch.upload.php中 ``` elseif (!empty($_POST)) { //如果POST不为空 //编辑标题 if(!empty($_GET['editaid']) && $editaid = intval($_GET['editaid'])) { $editsubject = cutstr(trim(shtmlspecialchars($_POST['editsubject'])), 50); updatetable('attachments', array('subject'=>$editsubject), array('aid'=>$editaid)); print <<<END <script language="javascript"> var div = parent.document.getElementById("div_upload_" + $editaid); var pf = parent.document.getElementById("phpframe"); pf.src = "about:blank"; div.innerHTML = "$editsubject"; </script> END; exit; } //上传文件 //上传模式 $mode = intval(postget('mode')); if($mode>3) exit; //mode 直接让他为空 $hash = trim(preg_replace("/[^a-z0-9\-\_]/i", '', trim($_POST['hash']))); if(strlen($hash) !=...
### 简要描述: Insert 无视GPC 装supesite会有ucenter 如果在一个裤的话 可以尝试把uckey注入出来 然后…… ### 详细说明: 来看看全局文件 ``` if(!(get_magic_quotes_gpc())) { $_GET = saddslashes($_GET); $_POST = saddslashes($_POST); $_COOKIE = saddslashes($_COOKIE); } ``` 判断gpc 是否开启 如果没有开启 就对get post cookie 转义 这里没有对files转义。 ___ 在batch.upload.php中 ``` elseif (!empty($_POST)) { //如果POST不为空 //编辑标题 if(!empty($_GET['editaid']) && $editaid = intval($_GET['editaid'])) { $editsubject = cutstr(trim(shtmlspecialchars($_POST['editsubject'])), 50); updatetable('attachments', array('subject'=>$editsubject), array('aid'=>$editaid)); print <<<END <script language="javascript"> var div = parent.document.getElementById("div_upload_" + $editaid); var pf = parent.document.getElementById("phpframe"); pf.src = "about:blank"; div.innerHTML = "$editsubject"; </script> END; exit; } //上传文件 //上传模式 $mode = intval(postget('mode')); if($mode>3) exit; //mode 直接让他为空 $hash = trim(preg_replace("/[^a-z0-9\-\_]/i", '', trim($_POST['hash']))); if(strlen($hash) != 16) showresult($blang['unable_to_complete_this_craft']);//这里只判断hash的长度为不为16 没有进一步的验证 那么就让hash为1111111111111111 //个数 $filecount = 1; $query = $_SGLOBAL['db']->query('SELECT COUNT(*) FROM '.tname('attachments').' WHERE hash=\''.$hash.'\''); $count = $_SGLOBAL['db']->result($query, 0); $allowmax = intval($_POST['uploadallowmax']); if($allowmax > 0 && $count + $filecount > $allowmax) showresult($blang['the_number_has_reached_maximum']); //类型 $allowtypearr = getallowtype(trim($_POST['uploadallowtype']));//取得上传的类型 //空间 $attachsize = 0; include_once(S_ROOT.'./function/upload.func.php'); if(empty($mode)) { //让$mode为空即可 //本地上传 //检查 $filearr = $_FILES['localfile'];//获取files if(empty($filearr['size']) || empty($filearr['tmp_name'])) showresult($blang['failure_to_obtain_upload_file_size']); $fileext = fileext($filearr['name']);//获取后缀 if(!empty($allowtypearr)) { if(empty($allowtypearr[$fileext])) showresult($blang['upload_not_allow_this_type_of_resources']." ($allowtype_ext)"); if($filearr['size'] > $allowtypearr[$fileext]['maxsize']) showresult($blang['file_size_exceeded_the_permissible_scope']); } //缩略图 if(!empty($_POST['uploadthumb0']) && !empty($_SCONFIG['thumbarray'][$_POST['uploadthumb0']])) { $thumbarr = $_SCONFIG['thumbarray'][$_POST['uploadthumb0']]; } else { $thumbarr = array($_POST['thumbwidth'], $_POST['thumbheight']); } //上传 $newfilearr = savelocalfile($filearr, $thumbarr); if(empty($newfilearr['file'])) showresult($blang['uploading_files_failure']); //数据库 if(empty($_POST['uploadsubject0'])) $_POST['uploadsubject0'] = cutstr(filemain($filearr['name']), 50); //下面就带入到insert当中啦 $insertsqlarr = array( 'uid' => $uid, 'dateline' => $_SGLOBAL['timestamp'], 'filename' => saddslashes($filearr['name']),//对文件的名字转义 'subject' => trim(shtmlspecialchars($_POST['uploadsubject0'])), 'attachtype' => $fileext,//这里没有对文件的后缀转义 'isimage' => (in_array($fileext, array('jpg','jpeg','gif','png'))?1:0), 'size' => $filearr['size'], 'filepath' => $newfilearr['file'], 'thumbpath' => $newfilearr['thumb'], 'hash' => $hash ); inserttable('attachments', $insertsqlarr)//insert; ``` 'filename' => saddslashes($filearr['name']) 在查询的时候名字被转义了 'attachtype' => $fileext 来看一下$fileext $fileext = fileext($filearr['name']); ``` function fileext($filename) { return strtolower(trim(substr(strrchr($filename, '.'), 1))); } ``` 获取点以后的 没做转义 所以可以在后缀这进行注入了。 [<img src="https://images.seebug.org/upload/201410/11233159270c1b8c0701cea69a257e6b73779bbe.jpg" alt="s7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/11233159270c1b8c0701cea69a257e6b73779bbe.jpg) 可以看到 名字被转义 后缀那成功引入单引号 [<img src="https://images.seebug.org/upload/201410/1123350096ef55e2e0676c71cffbef7c1716865f.jpg" alt="s8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/1123350096ef55e2e0676c71cffbef7c1716865f.jpg) 出数据 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201410/1123350096ef55e2e0676c71cffbef7c1716865f.jpg" alt="s8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/1123350096ef55e2e0676c71cffbef7c1716865f.jpg)
