VULHUB ™

### 简要描述： 过滤不严。 ### 详细说明： 在app\controller\picture.class.php中 ``` public function delete() { $this->userIsLogin (); $_Obj = M($this->objName); $msgObj = new Msg(); $id = $_GET['id']; $idAry = $_POST['id']; $idStr = count($idAry) == 0 ? intval($id) : implode(",", $idAry); $newIdAry = explode(",", $idStr); $idSize = count($newIdAry); if (empty($newIdAry[0]) && empty($id)) { $msgObj->addMsg('error', Config::lang("PLEASECHOOSEDELETEDATA")); } for ($i = 0; $i < $idSize; $i++) { $newsObj = get("picture",$newIdAry[$i]); if (Authen::checkIsSelfData($newsObj->uid)) { $_Obj->deleteById($newIdAry[$i]); } else { $msgObj->addMsg('error', Config::lang("CANBEDELNOTSELFNEWS")); } } ``` $idAry = $_POST['id']; 可以看到都没有intval 这里用逗号切割 ``` if (Authen::checkIsSelfData($newsObj->uid)) { $_Obj->deleteById($newIdAry[$i]); } ``` 要满足这个。 ``` public static function checkIsSelfData($uid) { if (self::isAdmin()) {return true;} if ($uid == $_COOKIE['userId'] && self::checkUserLogin()) {return true;} return...

### 简要描述： 过滤不严。 ### 详细说明： 在app\controller\picture.class.php中 ``` public function delete() { $this->userIsLogin (); $_Obj = M($this->objName); $msgObj = new Msg(); $id = $_GET['id']; $idAry = $_POST['id']; $idStr = count($idAry) == 0 ? intval($id) : implode(",", $idAry); $newIdAry = explode(",", $idStr); $idSize = count($newIdAry); if (empty($newIdAry[0]) && empty($id)) { $msgObj->addMsg('error', Config::lang("PLEASECHOOSEDELETEDATA")); } for ($i = 0; $i < $idSize; $i++) { $newsObj = get("picture",$newIdAry[$i]); if (Authen::checkIsSelfData($newsObj->uid)) { $_Obj->deleteById($newIdAry[$i]); } else { $msgObj->addMsg('error', Config::lang("CANBEDELNOTSELFNEWS")); } } ``` $idAry = $_POST['id']; 可以看到都没有intval 这里用逗号切割 ``` if (Authen::checkIsSelfData($newsObj->uid)) { $_Obj->deleteById($newIdAry[$i]); } ``` 要满足这个。 ``` public static function checkIsSelfData($uid) { if (self::isAdmin()) {return true;} if ($uid == $_COOKIE['userId'] && self::checkUserLogin()) {return true;} return false;javascript:void(0) } ``` 首先我们要自己去注册一个号 然后发表一个图片。 然后切割后就带入了查询。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/02184118116dbaefa9d12c4fa7d1503bc37f2336.jpg" alt="t2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/02184118116dbaefa9d12c4fa7d1503bc37f2336.jpg) [<img src="https://images.seebug.org/upload/201405/0218420472beb91cefb2bbc9fd3c2bec18a6f93c.jpg" alt="t3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/0218420472beb91cefb2bbc9fd3c2bec18a6f93c.jpg) 发现执行的语句又有切割了后执行的 又有没切割的执行的。 没切割的就能来盲注了。