VULHUB ™

### 简要描述： PHPshe 注入漏洞2 ### 详细说明： ``` <?php pe_lead('hook/product.hook.php'); switch ($act) { //#####################@ 商品咨询 @#####################// case 'askadd': if (isset($_p_pesubmit)) { $info['product_id'] = intval($_g_id); $info['ask_text'] = pe_texthtml(pe_dbhold($_p_ask_text)); $info['ask_atime'] = time(); $info['user_id'] = $_s_user_id; $info['user_name'] = $_s_user_name; $info['user_ip'] = pe_ip();//ip获取直接注入 if ($db->pe_insert('ask', $info)) { product_num('asknum', $info['product_id']); $result = true; $info['ask_atime'] = pe_date($info['ask_atime']); $info['ask_text'] = htmlspecialchars($_p_ask_text); $html = <<<html <ul> <li class="fl"> function pe_ip() { if (isset($_SERVER)){ if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ $realip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { $realip = $_SERVER["HTTP_CLIENT_IP"]; } else { $realip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")){ $realip =...

### 简要描述： PHPshe 注入漏洞2 ### 详细说明： ``` <?php pe_lead('hook/product.hook.php'); switch ($act) { //#####################@ 商品咨询 @#####################// case 'askadd': if (isset($_p_pesubmit)) { $info['product_id'] = intval($_g_id); $info['ask_text'] = pe_texthtml(pe_dbhold($_p_ask_text)); $info['ask_atime'] = time(); $info['user_id'] = $_s_user_id; $info['user_name'] = $_s_user_name; $info['user_ip'] = pe_ip();//ip获取直接注入 if ($db->pe_insert('ask', $info)) { product_num('asknum', $info['product_id']); $result = true; $info['ask_atime'] = pe_date($info['ask_atime']); $info['ask_text'] = htmlspecialchars($_p_ask_text); $html = <<<html <ul> <li class="fl"> function pe_ip() { if (isset($_SERVER)){ if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ $realip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { $realip = $_SERVER["HTTP_CLIENT_IP"]; } else { $realip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")){ $realip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $realip = getenv("HTTP_CLIENT_IP"); } else { $realip = getenv("REMOTE_ADDR"); } } return $realip; } 、 ``` ### 漏洞证明： 测试方法 打开 http://127.0.0.1/phpshe/index.php?mod=product&act=askadd POST提交pesubmit=1 然后抓包 在HTTP头里面添加 X_FORWARDED_FOR: 1' 就可以了 [<img src="https://images.seebug.org/upload/201312/14005514c2ad2210d8e3b0ac18d8cf7256a47718.png" alt="QQ截图20131214005012.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/14005514c2ad2210d8e3b0ac18d8cf7256a47718.png)