VULHUB ™

### 简要描述： UChome 注入漏洞2 需要GPC=OFF和之前那个差不多 ### 详细说明： ``` cp_blog.php if(submitcheck('blogsubmit')) { if(empty($blog['blogid'])) { $blog = array(); } else { if(!checkperm('allowblog')) { ckspacelog(); showmessage('no_authority_to_add_log'); } } //验证码 if(checkperm('seccode') && !ckseccode($_POST['seccode'])) { showmessage('incorrect_code'); } include_once(S_ROOT.'./source/function_blog.php'); if($newblog = blog_post($_POST, $blog)) {//调用~~ if(empty($blog) && $newblog['topicid']) { $url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog'; } else { $url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid']; } showmessage('do_success', $url, 0); } else { function_log.php function blog_post($POST, $olds=array()) { global $_SGLOBAL, $_SC, $space; //操作者角色切换 $isself = 1; if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) { 省略若干···· $uploads = array(); if(!empty($POST['picids'])) { $picids = array_keys($POST['picids']);//注入在这里 pop了KEY出来 $query =...

### 简要描述： UChome 注入漏洞2 需要GPC=OFF和之前那个差不多 ### 详细说明： ``` cp_blog.php if(submitcheck('blogsubmit')) { if(empty($blog['blogid'])) { $blog = array(); } else { if(!checkperm('allowblog')) { ckspacelog(); showmessage('no_authority_to_add_log'); } } //验证码 if(checkperm('seccode') && !ckseccode($_POST['seccode'])) { showmessage('incorrect_code'); } include_once(S_ROOT.'./source/function_blog.php'); if($newblog = blog_post($_POST, $blog)) {//调用~~ if(empty($blog) && $newblog['topicid']) { $url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog'; } else { $url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid']; } showmessage('do_success', $url, 0); } else { function_log.php function blog_post($POST, $olds=array()) { global $_SGLOBAL, $_SC, $space; //操作者角色切换 $isself = 1; if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) { 省略若干···· $uploads = array(); if(!empty($POST['picids'])) { $picids = array_keys($POST['picids']);//注入在这里 pop了KEY出来 $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");//带入了查询 while ($value = $_SGLOBAL['db']->fetch_array($query)) { if(empty($titlepic) && $value['thumb']) { $titlepic = $value['filepath'].'.thumb.jpg'; $blogarr['picflag'] = $value['remote']?2:1; } ``` ### 漏洞证明： 利用方法 注册用户后登陆 然后点击日志 创建新日志 然后打开BURP进行抓包 找一个没有用的POST选项 改成picids['] 然后在提交 就可以看到结果了 [<img src="https://images.seebug.org/upload/201311/261823007e879394633b272d8cdefbed6e38fb0b.jpg" alt="pl.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/261823007e879394633b272d8cdefbed6e38fb0b.jpg) [<img src="https://images.seebug.org/upload/201311/26182311606849be4a9906d4acbde9d08c7c955e.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/26182311606849be4a9906d4acbde9d08c7c955e.jpg) [<img src="https://images.seebug.org/upload/201311/26182326b558c2fa5a2e975c9b83b50b3d750e4c.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/26182326b558c2fa5a2e975c9b83b50b3d750e4c.jpg)