### 简要描述: Thinksaas SQL注入#5 ### 详细说明: Thinksaas SQL注入#5 积分兑换——物品编辑处,sql注入。 第一处:/app/redeem/action/edit.php ``` case "do": $goodsid = intval($_POST['goodsid']); $cateid = intval($_POST['cateid']); $title = trim($_POST['title']);//问题在这里 $content = trim($_POST['content']);//问题在这里 $nums = intval($_POST['nums']); $scores = intval($_POST['scores']); $return = intval($_POST['return']); $new['redeem']->update('redeem_goods',array( 'goodsid'=>$goodsid, ),array( 'cateid'=>$cateid, 'title'=>$title,//问题在这里 'content'=>$content,//问题在这里 'nums'=>$nums, 'scores'=>$scores, 'return'=>$return, )); ``` 这里没有过滤,进入update: ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " ....
### 简要描述: Thinksaas SQL注入#5 ### 详细说明: Thinksaas SQL注入#5 积分兑换——物品编辑处,sql注入。 第一处:/app/redeem/action/edit.php ``` case "do": $goodsid = intval($_POST['goodsid']); $cateid = intval($_POST['cateid']); $title = trim($_POST['title']);//问题在这里 $content = trim($_POST['content']);//问题在这里 $nums = intval($_POST['nums']); $scores = intval($_POST['scores']); $return = intval($_POST['return']); $new['redeem']->update('redeem_goods',array( 'goodsid'=>$goodsid, ),array( 'cateid'=>$cateid, 'title'=>$title,//问题在这里 'content'=>$content,//问题在这里 'nums'=>$nums, 'scores'=>$scores, 'return'=>$return, )); ``` 这里没有过滤,进入update: ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 也没有过滤row的内容,导致我们的输入进入sql语句,造成注入。 ### 漏洞证明: 新看看正常的积分兑换物品: [<img src="https://images.seebug.org/upload/201312/2311241693cc61ffbb5707be80db63e3448d420c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2311241693cc61ffbb5707be80db63e3448d420c.png) 编辑物品,输入如下: [<img src="https://images.seebug.org/upload/201312/23112431ad805bb912dcc6cb8c192b82bb211250.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/23112431ad805bb912dcc6cb8c192b82bb211250.png) 修改后,看看结果: [<img src="https://images.seebug.org/upload/201312/2311244673b9d0199b82a83fe0ba6fabba8c475e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2311244673b9d0199b82a83fe0ba6fabba8c475e.png) ok
