Supesite 前台二次注入一枚

### 简要描述： 二次猪肉。 ### 详细说明： 在cp.php中 ``` $ac = empty($_GET['ac']) ? 'profile' : trim($_GET['ac']); if(in_array($ac, array('index', 'news', 'profile', 'credit', 'models'))) { include_once(S_ROOT.'./source/cp_'.$ac.'.php'); ``` 包含文件进来 在source/cp_news.php中 ``` $newsarr = array('subject' => $_POST['subject'], 'catid' => $_POST['catid'], 'type' => $_POST['type'], 'lastpost' => $_SGLOBAL['timestamp']); $itemarr = array('message' => $_POST['message'], 'relativetags' => addslashes(serialize($tagnamearr)), //相关TAG 'newsfrom' => $_POST['newsfrom'], 'newsauthor' => $_POST['newsauthor'], 'newsfromurl' => $_POST['newsfromurl'], 'postip' => $_SGLOBAL['onlineip'], 'includetags' => postgetincludetags($_POST['message'], $tagnamearr) ); ``` 这里对投稿时的处理。 ``` $itemarr['itemid'] = inserttable('spaceitems', $newsarr, 1); //这里 inserttable('spacenews', $itemarr); getreward('postinfo'); postspacetag('add', $_POST['type'], $itemarr['itemid'], $tagarr,1); $do = 'pass'; } else { $itemarr['itemid'] = inserttable('postitems', $newsarr, 1); ``` 全局对_POST转义了 然后转义入库 转义符就没了。 找找出库的地方。 在viewcomment.php中 ``` if($channels['menus'][$type]['type'] == 'model') { include_once(S_ROOT.'./function/model.func.php'); $cacheinfo = getmodelinfoall('modelname', $type); if(empty($cacheinfo['models'])) { showmessage('visit_the_channel_does_not_exist', S_URL); } $modelsinfoarr = $cacheinfo['models']; $categories = $cacheinfo['categories']; $query = $_SGLOBAL['db']->query('SELECT i.*, ii.* FROM '.tname($type.'items').' i, '.tname($type.'message').' ii WHERE i.itemid = ii.itemid AND i.itemid=\''.$itemid.'\' AND i.allowreply=\'1\''); $ismodle = '1'; } else { $query = $_SGLOBAL['db']->query('SELECT i.*, ii.* FROM '.tname('spaceitems').' i, '.tname('spacenews').' ii WHERE i.itemid = ii.itemid AND i.itemid=\''.$itemid.'\' AND i.allowreply=\'1\'');//这里查询出来 $ismodle = '0'; } if(!$item = $_SGLOBAL['db']->fetch_array($query)) showmessage('not_found', S_URL)//出库; ``` $channel = $type = empty($item['type']) ? $type : $item['type']; 赋值的是查询出来的 就能引入单引号了。 ``` $sql = "SELECT COUNT(*) FROM ".tname('spacecomments')." WHERE itemid='$itemid' AND status='1' AND `type`='$type' $wherestr "; $listcount = $_SGLOBAL['db']->result($_SGLOBAL['db']->query($sql), 0); $iarr = array(); ``` 再把出库的带入到了查询当中 造成了注入。 在viewnews.php中 也有出库的 ``` if(!empty($_SCONFIG['viewspace_pernum']) && $listcount) { $repeatids = array(); $j = 1; $sql = "SELECT c.* FROM ".tname('spacecomments')." c WHERE c.itemid='$news[itemid]' AND c.type='$news[type]' AND status='1' ORDER BY c.dateline ".($_SCONFIG['commorderby']?'DESC':'ASC')." LIMIT 0, $_SCONFIG[viewspace_pernum]"; $query = $_SGLOBAL['db']->query($sql); ``` 注册一个会员 然后发帖 入库 [<img src="https://images.seebug.org/upload/201410/12154412c2d9fba2394aed266ac37cbec36c4b17.jpg" alt="s18.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/12154412c2d9fba2394aed266ac37cbec36c4b17.jpg) [<img src="https://images.seebug.org/upload/201410/12154451bee3740382b1b692f5347311d42b80ca.jpg" alt="s19.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/12154451bee3740382b1b692f5347311d42b80ca.jpg) viewnews.php的一样 就不说了。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201410/12154451bee3740382b1b692f5347311d42b80ca.jpg" alt="s19.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/12154451bee3740382b1b692f5347311d42b80ca.jpg)