### 简要描述: DESTOON后台多处SQL注入。 ### 详细说明: 后台的sql注入太多了,如下: ``` http://localhost/destoon/admin.php?file=admin&action=edit&userid=1 ``` ``` http://localhost/destoon/admin.php?moduleid=1&file=admin ``` ``` http://localhost/destoon/admin.php?moduleid=1&file=admin&action=add ``` ``` http://localhost/destoon/admin.php?file=database ``` ``` http://localhost/destoon/admin.php?file=database&action=process ``` ``` http://localhost/destoon/admin.php?rand=92&file=database&action=execute ``` [<img src="https://images.seebug.org/upload/201307/26113653ae3f7a13079d9fb1d688c96dc6c9c4e8.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201307/26113653ae3f7a13079d9fb1d688c96dc6c9c4e8.png) 如此处: ``` http://localhost/destoon/admin.php?rand=92&file=database&action=execute ``` ``` case 'execute': if(!isset($CFG['executesql']) || !$CFG['executesql']) msg('系统禁止了执行SQL,请FTP修改根目录config.inc.php<br/>$CFG[\'executesql\'] = \'0\'; 修改为 $CFG[\'executesql\'] = \'1\';');...
### 简要描述: DESTOON后台多处SQL注入。 ### 详细说明: 后台的sql注入太多了,如下: ``` http://localhost/destoon/admin.php?file=admin&action=edit&userid=1 ``` ``` http://localhost/destoon/admin.php?moduleid=1&file=admin ``` ``` http://localhost/destoon/admin.php?moduleid=1&file=admin&action=add ``` ``` http://localhost/destoon/admin.php?file=database ``` ``` http://localhost/destoon/admin.php?file=database&action=process ``` ``` http://localhost/destoon/admin.php?rand=92&file=database&action=execute ``` [<img src="https://images.seebug.org/upload/201307/26113653ae3f7a13079d9fb1d688c96dc6c9c4e8.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201307/26113653ae3f7a13079d9fb1d688c96dc6c9c4e8.png) 如此处: ``` http://localhost/destoon/admin.php?rand=92&file=database&action=execute ``` ``` case 'execute': if(!isset($CFG['executesql']) || !$CFG['executesql']) msg('系统禁止了执行SQL,请FTP修改根目录config.inc.php<br/>$CFG[\'executesql\'] = \'0\'; 修改为 $CFG[\'executesql\'] = \'1\';'); if($submit) { if(trim($sql) == '') { msg('SQL语句为空'); } else { $sql = stripslashes($sql); if(preg_match("/DROP(.*)(TABLE|DATABASE)/i", $sql)) msg('系统禁止DROP语句'); sql_execute($sql); dmsg('执行成功', '?file='.$file.'&action=execute'); } } else { include tpl('database_execute'); } break; ``` 变量$sql没有任何过滤,就直接sql_execute($sql)了,如图结果: [<img src="https://images.seebug.org/upload/201307/26113815a5f4ddef1aca5fb3c49ae7c3789f083a.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201307/26113815a5f4ddef1aca5fb3c49ae7c3789f083a.png) [<img src="https://images.seebug.org/upload/201307/26113825d64830174e2605b1a2ef906f78442f2a.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201307/26113825d64830174e2605b1a2ef906f78442f2a.png) 后台的注入还有很多,就不一一列举了。 虽然是在后台,但是导出都是注入,低级的错误还是很不好的。 ### 漏洞证明: 将详细说明
