VULHUB ™

### 简要描述： TinyShop Sql Injection 1（无视GPC） ### 详细说明： 后台登陆界面存在检查功能，不安全取值导致的SQL注入。 ``` /controller/controller_class.php public function check() { $this->safebox = Safebox::getInstance(); $this->title='后台登录'; $code = $this->safebox->get($this->captchaKey); if($code != strtolower(Req::args($this->captchaKey))) { $this->msg='验证码错误！'; $this->layout = ""; $this->redirect('login',false); } else { $manager = new Manager(Req::args('name'),Req::args('password')); $this->msg='验证码错误！'; if($manager->getStatus() == 'online') { $back = Req::args('callback'); $model = new Model("manager"); $model->data(array('last_ip'=>Chips::getIP(),'last_login'=>date("Y-m-d H:i:s")))->where("id=".$manager->id)->update(); //这里有一个getIP函数，跟入。 if($back === null) $back = $this->defaultAction; $this->redirect($back,true); } else { $this->msg='用户名或者密码错误'; $this->layout = ""; $this->redirect('login',false); } } } ``` getip函数跟进。 /framework/lib/util/chips_class.php public static function getIP() { if...

### 简要描述： TinyShop Sql Injection 1（无视GPC） ### 详细说明： 后台登陆界面存在检查功能，不安全取值导致的SQL注入。 ``` /controller/controller_class.php public function check() { $this->safebox = Safebox::getInstance(); $this->title='后台登录'; $code = $this->safebox->get($this->captchaKey); if($code != strtolower(Req::args($this->captchaKey))) { $this->msg='验证码错误！'; $this->layout = ""; $this->redirect('login',false); } else { $manager = new Manager(Req::args('name'),Req::args('password')); $this->msg='验证码错误！'; if($manager->getStatus() == 'online') { $back = Req::args('callback'); $model = new Model("manager"); $model->data(array('last_ip'=>Chips::getIP(),'last_login'=>date("Y-m-d H:i:s")))->where("id=".$manager->id)->update(); //这里有一个getIP函数，跟入。 if($back === null) $back = $this->defaultAction; $this->redirect($back,true); } else { $this->msg='用户名或者密码错误'; $this->layout = ""; $this->redirect('login',false); } } } ``` getip函数跟进。 /framework/lib/util/chips_class.php public static function getIP() { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))$ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; elseif (isset($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"]; elseif (isset($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"]; elseif (getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR"); elseif (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP"); elseif (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR"); else $ip = "Unknown"; return $ip; } 直接获取了$_SERVER["HTTP_X_FORWARDED_FOR"]，gpc也没用了。导致了注入。我输出语句演示。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/11102446801bda963486bdf93fd0115dcd514959.png" alt="111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/11102446801bda963486bdf93fd0115dcd514959.png) [<img src="https://images.seebug.org/upload/201407/111025039ee1fa69d620b022680ee5460070e1a4.png" alt="222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/111025039ee1fa69d620b022680ee5460070e1a4.png)