### 简要描述: 攒wb~ ### 详细说明: 漏洞存在版本为PHPDisk F-Core系列 测试版本为PHPDisk F-Core v1.1 20140703 SQL注入在发布资源时被触发,参数post_tag为注入点,上代码 /modules/post.inc.php,第124行左右 ``` $db->query_unbuffered("insert into {$tpf}posts set ".$db->sql_array($ins).""); $pid = $db->insert_id(); make_tags($tags,$tag_arr,$pid);//注入点 $db->query_unbuffered("update {$tpf}categories set cate_num=cate_num+1 where cate_id='$cate_id'"); $sysmsg[] = $settings[pd_post_name].'发布成功'; ``` 跟进make_tags函数看一下 ``` function make_tags($tags,$tag_arr,$file_id){ global $db,$tpf,$timestamp,$pd_uid; if($tags){ $tags = filter_tag($tags); $tags_str = ''; for($i=0;$i<count($tag_arr);$i++){ if($tag_arr[$i]){ $tags_str .= "'".filter_tag($tag_arr[$i])."',";//filter_tag对tag的值做了处理 $rs = $db->fetch_one_array("select count(*) as total from {$tpf}post2tag where tag_name='{$tag_arr[$i]}' and pid='{$file_id}'"); if(!$rs['total']){ $ins = array( 'tag_name' => $tag_arr[$i], 'pid' => $file_id, ); $db->query_unbuffered("insert into {$tpf}post2tag set...
### 简要描述: 攒wb~ ### 详细说明: 漏洞存在版本为PHPDisk F-Core系列 测试版本为PHPDisk F-Core v1.1 20140703 SQL注入在发布资源时被触发,参数post_tag为注入点,上代码 /modules/post.inc.php,第124行左右 ``` $db->query_unbuffered("insert into {$tpf}posts set ".$db->sql_array($ins).""); $pid = $db->insert_id(); make_tags($tags,$tag_arr,$pid);//注入点 $db->query_unbuffered("update {$tpf}categories set cate_num=cate_num+1 where cate_id='$cate_id'"); $sysmsg[] = $settings[pd_post_name].'发布成功'; ``` 跟进make_tags函数看一下 ``` function make_tags($tags,$tag_arr,$file_id){ global $db,$tpf,$timestamp,$pd_uid; if($tags){ $tags = filter_tag($tags); $tags_str = ''; for($i=0;$i<count($tag_arr);$i++){ if($tag_arr[$i]){ $tags_str .= "'".filter_tag($tag_arr[$i])."',";//filter_tag对tag的值做了处理 $rs = $db->fetch_one_array("select count(*) as total from {$tpf}post2tag where tag_name='{$tag_arr[$i]}' and pid='{$file_id}'"); if(!$rs['total']){ $ins = array( 'tag_name' => $tag_arr[$i], 'pid' => $file_id, ); $db->query_unbuffered("insert into {$tpf}post2tag set ".$db->sql_array($ins).";"); } unset($rs); } } $tags_str = (substr($tags_str,-1) ==',') ? substr($tags_str,0,-1) : $tags_str; $db->query_unbuffered("update {$tpf}tags set tag_count=tag_count-1 where tag_name in (select tag_name from {$tpf}post2tag where pid='$file_id')"); //echo "delete from {$tpf}post2tag where pid='$file_id' and tag_name not in ($tags_str)"; $db->query_unbuffered("delete from {$tpf}post2tag where pid='$file_id' and tag_name not in ($tags_str)"//留下反斜杠注入发生 ``` filter_tag函数是重点,跟进这个函数看下 ``` function filter_tag($str){ return str_replace(array('"',"'",'/','(',')','*'),'',$str); } ``` 这个函数对单引号等特殊字符进行过滤,过滤为空~,但是由POST传入的数据是经过addslashes过滤的,在这里再把单引号拿掉的话,就会把反斜杠给剩下,导致注入的发生 ### 漏洞证明: 本地搭建环境来测试一下 [<img src="https://images.seebug.org/upload/201407/04143759109b0b3817ff9223235e875373f75a96.jpg" alt="QQ截图20140704143809.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04143759109b0b3817ff9223235e875373f75a96.jpg) 官方测试站点也测一下 http://demo.phpdisk.com/f/ [<img src="https://images.seebug.org/upload/201407/041440405d1763d09e3f6f94d0b1f687b1dc7469.jpg" alt="QQ截图20140704144100.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/041440405d1763d09e3f6f94d0b1f687b1dc7469.jpg) [<img src="https://images.seebug.org/upload/201407/041440554453ec2301a37fe0b140831effc85ee2.jpg" alt="QQ截图20140704144116.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/041440554453ec2301a37fe0b140831effc85ee2.jpg) 没有mysql报错,盲注或者延时都可以
