|Tipask问答系统可修改他人回答（官方Demo成功）

Tipask问答系统可修改他人回答（官方Demo成功）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： Tipask一处越权操作可非法操作他人回答 ### 详细说明：首先盯紧目标回答，比如这个问题的第一个回答： http://help.tipask.com/q-19260.html [<img src="https://images.seebug.org/upload/201405/07224643fc64e1784fa41940ee0d32bd7ce83d2a.png" alt="t0153afe5e564f8b65c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224643fc64e1784fa41940ee0d32bd7ce83d2a.png) F12看一下评论按钮的链接，搞到回答的ID： [<img src="https://images.seebug.org/upload/201405/07224710f3b8cda91ddd6f6063a1be90ca6028b4.png" alt="t01588ef8d0012c888e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224710f3b8cda91ddd6f6063a1be90ca6028b4.png) ID是3608，然后访问： http://help.tipask.com/question/editanswer/3608/0.html [<img src="https://images.seebug.org/upload/201405/07224958f8aa9d8f8b38baf43812a1dd4a4d40c1.png" alt="t012e6f977188496255.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224958f8aa9d8f8b38baf43812a1dd4a4d40c1.png) 提交之，修改成功： [<img src="https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png" alt="t019d5dd200677bd009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png) ---------------------------------- ``` 问题出在： control/question.php line323: function oneditanswer() { $navtitle = '修改回答'; $aid = $this->get[2] ? $this->get[2] : $this->post['aid']; $answer = $_ENV['answer']->get($aid); (!$answer) && $this->message("回答不存在或已被删除！", "STOP"); $question = $_ENV['question']->get($answer['qid']); $navlist = $_ENV['category']->get_navigation($question['cid'], true); if (isset($this->post['submit'])) { $content = $this->post['content']; $viewurl = urlmap('question/view/' . $question['id'], 2); //检查审核和内容外部URL过滤 $status = intval(2 != (2 & $this->setting['verify_question'])); $allow = $this->setting['allow_outer']; if (3 != $allow && has_outer($content)) { 0 == $allow && $this->message("内容包含外部链接，发布失败!", $viewurl); 1 == $allow && $status = 0; 2 == $allow && $content = filter_outer($content); } //检查违禁词 $contentarray = checkwords($content); 1 == $contentarray[0] && $status = 0; 2 == $contentarray[0] && $this->message("内容包含非法关键词，发布失败!", $viewurl); $content = $contentarray[1]; $_ENV['answer']->update_content($aid, $content, $status); if (0 == $status) { $this->message('修改回答成功！为了确保问答的质量，我们会对您的回答内容进行审核。请耐心等待......', $viewurl); } else { $this->message('修改回答成功！', $viewurl); } } include template("editanswer"); } ``` ``` 在348行跳到 model/answer.class.php的： line138: function update_content($aid, $content, $status = 0) { $this->db->query("UPDATE `" . DB_TABLEPRE . "answer` set content='$content',status=$status WHERE `id` =$aid"); } ``` sql语句没有判断userid就直接更新了回答内容，导致漏洞的产生 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png" alt="t019d5dd200677bd009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™