Cmseasy sql注入一枚

### 简要描述： 无视gpc 无需登录。 ### 详细说明： 昨天下的。 \lib\plugins\pay\alipay.php 因为是调用的respond 类 ``` function respond() { if (!empty($_POST)) { foreach($_POST as $key =>$data) { $_GET[$key] = $data; } } $payment = pay::get_payment($_GET['code']); $seller_email = rawurldecode($_GET['seller_email']); $order_sn = str_replace($_GET['subject'],'',$_GET['out_trade_no']); $order_sn = trim($order_sn); if (!pay::check_money($order_sn,$_GET['total_fee'])) { return false; } if($_GET['trade_status'] == "WAIT_SELLER_SEND_GOODS"||$_GET['trade_status'] == "TRADE_FINISHED" || $_GET['trade_status'] == "TRADE_SUCCESS") { pay::changeorders($order_sn,$_GET); return true; }else { return false; } } } ``` 挺多可控的 ``` public static function changeorders($id,$orderlog) { //file_put_contents('logs.txt', $id); $where=array(); $where['id']=$id; $where['status']=4; //$where['orderlog']=serialize($orderlog); $update=orders::getInstance()->rec_update($where,$id); if($update<1) { exit('改变订单状态出错，请联系管理员'); } } ``` $orderlog 基本没怎么用到 - - ``` public function rec_update($row , $where){ if(empty($this->tablename)) return; if(!empty($row) && !empty($where)){ $sqlud=''; foreach ($row as $key=>$value) { $key = $this->simpledb->escape_string($key); $value = $this->simpledb->escape_string($value); $sqlud .= "`$key`"."= '".$value."',"; } $sqlud=rtrim($sqlud); $sqlud=rtrim($sqlud,','); $where = $this->webscandb_condtion($where); $sql="UPDATE `".$this->tablename."` SET ".$sqlud." WHERE ".$where; return $this->simpledb->execute($sql); } ``` 可以看到 where 是没有单引号的 开始利用把。 $order_sn = str_replace($_GET['subject'],'',$_GET['out_trade_no']); UPDATE `cmseasy_p_orders` SET `id`= '123',`status`= '4' WHERE 123 然后让他延时 需要id=123 sleep(10) 这样 但是发现$_GET 过滤了 = 对<> urlencode。。 不知道怎么办了。 想了很久。 后面才看到。 ``` if (!empty($_POST)) { foreach($_POST as $key =>$data) { $_GET[$key] = $data; } } ``` 就那用post来提交把 post未过滤= <>之类的。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201402/11183737402d79a6d18a8a0c1e3064bbec8b50a1.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/11183737402d79a6d18a8a0c1e3064bbec8b50a1.jpg) [<img src="https://images.seebug.org/upload/201402/111836567aa94562f976651783f779e6048640a6.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/111836567aa94562f976651783f779e6048640a6.jpg) [<img src="https://images.seebug.org/upload/201402/11183749a8316c89a29f87148ca8e288a18ac204.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/11183749a8316c89a29f87148ca8e288a18ac204.jpg) [<img src="https://images.seebug.org/upload/201403/0811245511f58259c155a302b06cf2f722218765.jpg" alt="IMG_20140308_111824.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0811245511f58259c155a302b06cf2f722218765.jpg) [<img src="https://images.seebug.org/upload/201403/10184618b53f0b52c39643acb791d5662373e005.jpg" alt="111.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/10184618b53f0b52c39643acb791d5662373e005.jpg) [<img src="https://images.seebug.org/upload/201403/1018463089bce03a402d126c430ee942aed25bd2.jpg" alt="222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1018463089bce03a402d126c430ee942aed25bd2.jpg) OK咯。