### 简要描述: 开发时候发现的。 ### 详细说明: apps/page/Lib/Action/DiyAction.class.php 192行: ``` public function doCopyTemplate() { $id = intval ( $_POST ['id'] ); $page = $_POST ['page']; $channel = $_POST ['channel']; $databaseData = D ( 'Page' )->getPageInfo ( $page, $channel ); $result = $this->checkRole ( $databaseData ['manager'], $databaseData ); if ($result ['admin']) { echo D ( 'pageTemplate' )->saveCopyAction ( $id, $this->mid, $page, $channel ); } else { echo - 1; } } ``` 取到$_POST['channel']传入getPageInfo函数。我们看看这个函数: ``` /** * 返回页面详细信息 * @param unknown_type $id * @param unknown_type $field * @return unknown */ public function getPageInfo( $map , $field = 'id,page_name,domain,canvas,manager,status,guest,seo_title,seo_keywords,seo_description'){ $data = $this->where($map)->field($field)->find(); return $data; } ``` 光看默认值就知道,第二个参数是字段名,甚至不用考虑addslashes。 我们来试试,登录后发送如下数据包: [<img src="https://images.seebug.org/upload/201410/1301164688dc610a272d391a103e02d199fa091a.jpg" alt="02.jpg" width="600"...
### 简要描述: 开发时候发现的。 ### 详细说明: apps/page/Lib/Action/DiyAction.class.php 192行: ``` public function doCopyTemplate() { $id = intval ( $_POST ['id'] ); $page = $_POST ['page']; $channel = $_POST ['channel']; $databaseData = D ( 'Page' )->getPageInfo ( $page, $channel ); $result = $this->checkRole ( $databaseData ['manager'], $databaseData ); if ($result ['admin']) { echo D ( 'pageTemplate' )->saveCopyAction ( $id, $this->mid, $page, $channel ); } else { echo - 1; } } ``` 取到$_POST['channel']传入getPageInfo函数。我们看看这个函数: ``` /** * 返回页面详细信息 * @param unknown_type $id * @param unknown_type $field * @return unknown */ public function getPageInfo( $map , $field = 'id,page_name,domain,canvas,manager,status,guest,seo_title,seo_keywords,seo_description'){ $data = $this->where($map)->field($field)->find(); return $data; } ``` 光看默认值就知道,第二个参数是字段名,甚至不用考虑addslashes。 我们来试试,登录后发送如下数据包: [<img src="https://images.seebug.org/upload/201410/1301164688dc610a272d391a103e02d199fa091a.jpg" alt="02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/1301164688dc610a272d391a103e02d199fa091a.jpg) 看看mysql执行了什么语句: [<img src="https://images.seebug.org/upload/201410/13011653af785b419ee0e8c84989d8f78a9742a2.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/13011653af785b419ee0e8c84989d8f78a9742a2.jpg) 图中可以看到,我们可控的部分很多,从select 后面所有内容我们都可控。没有敏感词select,所以无视WAF。 同样的方法在这个文件中还有多处,我就不一一指出。 ### 漏洞证明: 来构造一个盲注。看到代码: ``` $databaseData = D ( 'Page' )->getPageInfo ( $page, $channel ); $result = $this->checkRole ( $databaseData ['manager'], $databaseData ); ``` $databaseData ['manager']传入了checkRole函数,进去看看: ``` private function checkRole($user, $pageInfo) { $admin = false; $openDiy = false; $userModel = model ( 'UserGroup' ); $user = explode( ',' , $user); if (in_array ( $this->mid, $user ) || $userModel->isAdmin ( $this->mid )) { $admin = true; } else { $this->error( '您没有管理权限!' ); } if (isset ( $_GET ['diy'] ) && $pageInfo ['pageType'] != 'list') { $openDiy = true; } $this->assign ( 'openDiy', $openDiy ); $this->assign ( 'admin', $admin ); $result ['admin'] = $admin; $result ['openDiy'] = $openDiy; return $result; } ``` 如果$this->mid(就是你的uid)在$user中,则通过,否则显示“您没有管理权限”。 所以,通过是否显示“您没有管理权限”,可以来盲注。 我的$this->mid为2。>113显示“找不到方法”: [<img src="https://images.seebug.org/upload/201410/13012730e8e4c7eea6b15730cc87cebba76e7afe.jpg" alt="03.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/13012730e8e4c7eea6b15730cc87cebba76e7afe.jpg) >114显示“您没有管理员权限”: [<img src="https://images.seebug.org/upload/201410/13012749744df4f0e19f178622dcab75c2026060.jpg" alt="04.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/13012749744df4f0e19f178622dcab75c2026060.jpg) 同理,注入用户密码只要改user()为password即可。
