### 简要描述: 漏洞很多,一个一个提交太麻烦了,一起提交吧,希望能走个大厂商 ### 详细说明: 第一处SQL注入 /app/group/action/do.php ``` //编辑小组基本信息 case "edit_base": $groupname = t($_POST['groupname']); $groupdesc = tsClean($_POST['groupdesc']); if($groupname=='' || $groupdesc=='') tsNotice("小组名称和介绍都不能为空!"); //过滤内容开始 aac('system')->antiWord($groupname); aac('system')->antiWord($groupdesc); //过滤内容结束 $isgroupname = $new['group']->findCount('group',array( 'groupname'=>$groupname, )); $groupid = intval($_POST['groupid']); $strGroup = $new['group']->find('group',array( 'groupid'=>$groupid, )); if($isgroupname > 0 && $strGroup['groupname']!=$groupname) tsNotice('小组名称已经存在!'); $new['group']->update('group',array( 'groupid'=>$groupid, ),array( 'groupname' => trim($_POST['groupname']), 'groupdesc' => trim($_POST['groupdesc']), 'joinway' => intval($_POST['joinway']), 'ispost' => intval($_POST['ispost']), 'isopen' => intval($_POST['isopen']), 'ispostaudit' => intval($_POST['ispostaudit']), )); tsNotice('基本信息修改成功!'); break; ```...
### 简要描述: 漏洞很多,一个一个提交太麻烦了,一起提交吧,希望能走个大厂商 ### 详细说明: 第一处SQL注入 /app/group/action/do.php ``` //编辑小组基本信息 case "edit_base": $groupname = t($_POST['groupname']); $groupdesc = tsClean($_POST['groupdesc']); if($groupname=='' || $groupdesc=='') tsNotice("小组名称和介绍都不能为空!"); //过滤内容开始 aac('system')->antiWord($groupname); aac('system')->antiWord($groupdesc); //过滤内容结束 $isgroupname = $new['group']->findCount('group',array( 'groupname'=>$groupname, )); $groupid = intval($_POST['groupid']); $strGroup = $new['group']->find('group',array( 'groupid'=>$groupid, )); if($isgroupname > 0 && $strGroup['groupname']!=$groupname) tsNotice('小组名称已经存在!'); $new['group']->update('group',array( 'groupid'=>$groupid, ),array( 'groupname' => trim($_POST['groupname']), 'groupdesc' => trim($_POST['groupdesc']), 'joinway' => intval($_POST['joinway']), 'ispost' => intval($_POST['ispost']), 'isopen' => intval($_POST['isopen']), 'ispostaudit' => intval($_POST['ispostaudit']), )); tsNotice('基本信息修改成功!'); break; ``` 在编辑小组信息时,groupname和groupdesc都没有过滤直接进入update的row参数,导致SQL注入。 第二处SQL注入: /app/group/action/do.php ``` //回复评论 case "recomment": if($_POST['token'] != $_SESSION['token']) { echo 1;exit; } $referid = intval($_POST['referid']); $topicid = intval($_POST['topicid']); $content = tsClean($_POST['content']); $addtime = time(); $db->query("insert into ".dbprefix."group_topic_comment (`referid`,`topicid`,`userid`,`content`,`addtime`) values ('$referid','$topicid','$userid','$content','$addtime')"); ``` 回复评论处content没有过滤,导致insert行盲注。 证明如图,会延迟10s: [<img src="https://images.seebug.org/upload/201402/2416273585193309bcc9554e4e23bc99f44a8271.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2416273585193309bcc9554e4e23bc99f44a8271.png) 第三处SQL注入: /app/group/action/topicedit.php ``` /编辑帖子执行 case "do": if($_POST['token'] != $_SESSION['token']) { tsNotice('非法操作!'); } $topicid = intval($_POST['topicid']); $title = trim($_POST['title']); $typeid = intval($_POST['typeid']); $content = cleanJs($_POST['content']); $iscomment = intval($_POST['iscomment']); ...... if($strTopic['userid']==$userid || $strGroup['userid']==$userid || $TS_USER['user']['isadmin']==1 || $strGroupUser['isadmin']==1){ $new['group']->update('group_topic',array( 'topicid'=>$topicid, ),array( 'typeid' => $typeid, 'title'=>$title, 'content'=>$content, 'iscomment' => $iscomment, )); ``` 在编辑帖子是,title和content存在注入。 证明如图: [<img src="https://images.seebug.org/upload/201402/24162832f9db686f4d49df8ea804331ac1eba995.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/24162832f9db686f4d49df8ea804331ac1eba995.png) 第四处SQL注入: /app/photo/action/edit.php ``` case "do": if($_POST['token'] != $_SESSION['token']) { tsNotice('非法操作!'); } $photoid = intval($_POST['photoid']); $photoname = tsClean($_POST['photoname']); $photodesc = tsClean($_POST['photodesc']); $new['photo']->update('photo',array( 'photoid'=>$photoid, ),array( 'photoname'=>$photoname, 'photodesc'=>$photodesc, )); header('Location: '.tsUrl('photo','show',array('id'=>$photoid))); break; ``` 修改单个图片信息时,photoname和photodesc没有过滤,导致SQL注入。 证明如图: [<img src="https://images.seebug.org/upload/201402/241629253b6b42745416a3f5241903cdb991d09f.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/241629253b6b42745416a3f5241903cdb991d09f.png) 第五处SQL注入 /app/tag/action/add.php ``` case "do": $objname = tsFilter($_POST['objname']); $idname = tsFilter($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功!'); break; ``` 在函数addTag()中: ``` $tagIndexCount = $this->findCount('tag_'.$objname.'_index',array( $idname=>$objid, 'tagid'=>$tagid, )); ``` idname通过tsFilter()函数过滤,然后做了key,但是tsFilter()函数可被制表符顺利绕过,而key没有过滤,导致SQL注入。 证明如图: [<img src="https://images.seebug.org/upload/201402/2416313701e8165e7621efc00a0563b4869a423e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2416313701e8165e7621efc00a0563b4869a423e.png) 在日志中看到注入结果: [<img src="https://images.seebug.org/upload/201402/24163150696ebfa7554a9608cc45e45713de9e44.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/24163150696ebfa7554a9608cc45e45713de9e44.png) ### 漏洞证明: 见详细说明
