2014-03-18: 细节已通知厂商并且等待厂商处理中 2014-03-26: 厂商已经确认,细节仅向厂商公开 2014-03-29: 细节向第三方安全合作伙伴开放 2014-05-20: 细节向核心白帽子及相关领域专家公开 2014-05-30: 细节向普通白帽子公开 2014-06-09: 细节向实习白帽子公开 2014-06-16: 细节向公众公开
过滤不严。位于同一文件中。
在member.php中。注入1 :
else if($a == 'delfavorite'){ if(is_array($checkid)) { foreach($checkid as $v) { $dosql->ExecNoneQuery("DELETE FROM `#@__userfavorite` WHERE `id`=$v AND `uname`='$c_uname'"); } } header('location:?c=favorite'); exit();}
数组遍历 然后 带入查询 无单引号。
有图有真相。类似的 2:
else if($a == 'delmsg'){ if(is_array($checkid)) { foreach($checkid as $v) { $dosql->ExecNoneQuery("DELETE FROM `#@__message` WHERE `id`=$v AND `nickname`='$c_uname'"); } }
原理一样 都不多说了。类似的3:
else if($a == 'delorder'){ if(is_array($checkid)) { foreach($checkid as $v) { $dosql->ExecNoneQuery("DELETE FROM `#@__goodsorder` WHERE `id`=$v AND `username`='$c_uname'"); } }
类似的4:
else if($a == 'delcomment'){ //是否开去文章评论功能 if($cfg_comment == 'N') exit(); if(is_array($checkid)) { foreach($checkid as $v) { $dosql->ExecNoneQuery("DELETE FROM `#@__usercomment` WHERE `id`=$v AND `uname`='$c_uname'"); } } header('location:?c=comment'); exit();}
注入 5:
else if($a == 'getgoods'){ $r = $dosql->GetOne("SELECT `checkinfo` FROM `#@__goodsorder` WHERE `username`='$c_uname' AND `id`=$id"); $checkinfo = explode(',',$r['checkinfo']); if(!in_array('getgoods', $checkinfo)) { $checkinfo = $r['checkinfo'].',getgoods'; } $dosql->ExecNoneQuery("UPDATE `#@__goodsorder` SET checkinfo='$checkinfo' WHERE `username`='$c_uname' AND `id`=$id"); header('location:?c=ordershow&id='.$id); exit();}
这里$id 可控 并且无intval 直接带入了查询 无单引号 可注入。
不用多说了把?注入6:
else if($a == 'applyreturn'){ $r = $dosql->GetOne("SELECT `checkinfo` FROM `#@__goodsorder` WHERE `username`='$c_uname' AND `id`=$id"); $checkinfo = explode(',',$r['checkinfo']); if(!in_array('applyreturn', $checkinfo)) { $checkinfo = $r['checkinfo'].',applyreturn'; } $dosql->ExecNoneQuery("UPDATE `#@__goodsorder` SET checkinfo='$checkinfo' WHERE `username`='$c_uname' AND `id`=$id"); header('location:?c=ordershow&id='.$id);
跟注入5一样 不多说。注入7:
else if($a == 'getarea'){ //初始化参数 $datagroup = isset($datagroup) ? $datagroup : ''; $level = isset($level) ? $level : ''; $v = isset($areaval) ? $areaval : '0'; if($datagroup == '' or $level == '' or $v == '') { header('location:?c=default'); exit(); } $str = '<option value="-1">--</option>'; $sql = "SELECT * FROM `#@__cascadedata` WHERE `level`=$level And "; if($v == 0) $sql .= "datagroup='$datagroup'"; else if($v % 500 == 0) $sql .= "`datagroup`='$datagroup' AND `datavalue`>$v AND `datavalue`<".($v + 500); else $sql .= "`datavalue` LIKE '$v.%%%' AND `datagroup`='$datagroup'"; $sql .= " ORDER BY orderid ASC, datavalue ASC"; $dosql->Execute($sql); while($row = $dosql->GetArray())
这里$level 直接带入查询当中 无单引号 直接注入
注入8:
else if($a == 'savecomment'){ //是否开去文章评论功能 if($cfg_comment == 'N') exit(); //初始化参数 $aid = isset($aid) ? $aid : ''; $molds = isset($molds) ? $molds : ''; $body = isset($body) ? htmlspecialchars($body) : ''; $link = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; if($aid == '' or $molds == '' or $body == '') { header('location:?c=default'); exit(); } $reply = ''; if(empty($c_uname)) { $uid = '-1'; $uname = '游客'; } else { $r = $dosql->GetOne("SELECT `id`,`expval`,`integral` FROM `#@__member` WHERE `username`='$c_uname'"); $uid = $r['id']; $uname = $c_uname; } $time = time(); $ip = GetIP(); $dosql->ExecNoneQuery("INSERT INTO `#@__usercomment` (aid,molds,uid,uname,body,reply,link,time,ip,isshow) VALUES ('$aid','$molds','$uid','$uname','$body','$reply','$link','$time','$ip','1')");
$link是referer 可控。 并且直接带入了insert中
直接注入注入9:
else if($a == 'savefavorite'){ $aid = isset($aid) ? $aid : ''; $molds = isset($molds) ? $molds : ''; $link = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; if($aid == '' or $molds == '' or $link == '') { header('location:?c=default'); exit(); } $r = $dosql->GetOne("SELECT `id`,`expval`,`integral` FROM `#@__member` WHERE `username`='$c_uname'"); $uid = $r['id']; $uname = $c_uname; $time = time(); $ip = GetIP(); $r2 = $dosql->GetOne("SELECT `aid`,`molds` FROM `#@__userfavorite` WHERE `aid`=$aid and `molds`=$molds"); if(!is_array($r2)) { echo aaaa;exit; $dosql->ExecNoneQuery("INSERT INTO `#@__userfavorite` (aid,molds,uid,uname,link,time,ip,isshow) VALUES ('$aid','$molds','$uid','$uname','$link','$time','$ip','1')"); //收藏一条增加1经验值2积分
跟注入8一样 就不多说了。
见详细说明。
无尽的过滤。
危害等级:中
漏洞Rank:8
确认时间:2014-03-26 17:11
漏洞存在。
暂无
mark