### 简要描述: 官方给的测试站似乎被getshell了,吓坏了呀~不是我干的~ ### 详细说明: app/controller/messageController.php ``` class messageController extends Controller{ private $model="message"; public function index(){ return $this->display("message.html");//,M($this->model)->page()); } public function add(){ return $this->display("message_add.html");//,M($this->model)->page()); } public function save(){ echo json_encode(M($this->model)->save(lib_replace_end_tag_array($_POST))); } } ``` save方法,将$_POST过滤以后传入save变量。看到这个过滤函数lib_replace_end_tag_array: ``` function lib_replace_end_tag_array($array){ if(!is_array($array)) return false; foreach($array as $k => $v){ $arr[$k]= lib_replace_end_tag($v); } return $arr; } ``` 可见只过滤了value没有过滤key。我们再看save函数: ``` public function save($array){ if($_SESSION['authnum']!=$array['vcode']||$_SESSION['authnum']==""){ return array('status' => 'c');} unset($array['vcode']); $re=D($this->d_name)->insert($array); if($re){ $_SESSION['authnum']=""; return array('status' => 'y','id' => $re);...
### 简要描述: 官方给的测试站似乎被getshell了,吓坏了呀~不是我干的~ ### 详细说明: app/controller/messageController.php ``` class messageController extends Controller{ private $model="message"; public function index(){ return $this->display("message.html");//,M($this->model)->page()); } public function add(){ return $this->display("message_add.html");//,M($this->model)->page()); } public function save(){ echo json_encode(M($this->model)->save(lib_replace_end_tag_array($_POST))); } } ``` save方法,将$_POST过滤以后传入save变量。看到这个过滤函数lib_replace_end_tag_array: ``` function lib_replace_end_tag_array($array){ if(!is_array($array)) return false; foreach($array as $k => $v){ $arr[$k]= lib_replace_end_tag($v); } return $arr; } ``` 可见只过滤了value没有过滤key。我们再看save函数: ``` public function save($array){ if($_SESSION['authnum']!=$array['vcode']||$_SESSION['authnum']==""){ return array('status' => 'c');} unset($array['vcode']); $re=D($this->d_name)->insert($array); if($re){ $_SESSION['authnum']=""; return array('status' => 'y','id' => $re); }else{ return array('status' => 'n','id' => $re); } } ``` 将$_POST传入insert函数,跟进: ``` public function insert($row){ if (!is_array($row)) { return false; } foreach ($row as $key => $value) { $cols[] = $key; $vals[] = $this->db->escape($value); } $col = join('`,`', $cols); $val = join(',', $vals); $this->db->query('insert into `'.$this->name.'` (`'.$col.'`) values ('.$val.')'); return $this->lastinsertid(); } ``` 没有过滤。所以造成了注入。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201407/31232749f3257a425c12c0bd2b85f74a7875e90f.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/31232749f3257a425c12c0bd2b85f74a7875e90f.jpg) 增加一条留言: [<img src="https://images.seebug.org/upload/201407/31234350c731b7a26b4a8464747229c4db148c6b.jpg" alt="002.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/31234350c731b7a26b4a8464747229c4db148c6b.jpg) 查看即可看到注入获得的数据: [<img src="https://images.seebug.org/upload/201407/312344124e20dcf8a45888406d9f7229bef56bca.jpg" alt="003.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/312344124e20dcf8a45888406d9f7229bef56bca.jpg)