### 简要描述:
漏洞很多,一个一个提交太麻烦了,一起提交吧,希望能走个大厂商
### 详细说明:
第一处SQL注入
/app/group/action/do.php
```
//编辑小组基本信息
case "edit_base":
$groupname = t($_POST['groupname']);
$groupdesc = tsClean($_POST['groupdesc']);
if($groupname=='' || $groupdesc=='') tsNotice("小组名称和介绍都不能为空!");
//过滤内容开始
aac('system')->antiWord($groupname);
aac('system')->antiWord($groupdesc);
//过滤内容结束
$isgroupname = $new['group']->findCount('group',array(
'groupname'=>$groupname,
));
$groupid = intval($_POST['groupid']);
$strGroup = $new['group']->find('group',array(
'groupid'=>$groupid,
));
if($isgroupname > 0 && $strGroup['groupname']!=$groupname) tsNotice('小组名称已经存在!');
$new['group']->update('group',array(
'groupid'=>$groupid,
),array(
'groupname' => trim($_POST['groupname']),
'groupdesc' => trim($_POST['groupdesc']),
'joinway' => intval($_POST['joinway']),
'ispost' => intval($_POST['ispost']),
'isopen' => intval($_POST['isopen']),
'ispostaudit' => intval($_POST['ispostaudit']),
));
tsNotice('基本信息修改成功!');
break;
```
在编辑小组信息时,groupname和groupdesc都没有过滤直接进入update的row参数,导致SQL注入。
第二处SQL注入:
/app/group/action/do.php
```
//回复评论
case "recomment":
if($_POST['token'] != $_SESSION['token']) {
echo 1;exit;
}
$referid = intval($_POST['referid']);
$topicid = intval($_POST['topicid']);
$content = tsClean($_POST['content']);
$addtime = time();
$db->query("insert into ".dbprefix."group_topic_comment (`referid`,`topicid`,`userid`,`content`,`addtime`) values ('$referid','$topicid','$userid','$content','$addtime')");
```
回复评论处content没有过滤,导致insert行盲注。
证明如图,会延迟10s:
[<img src="https://images.seebug.org/upload/201402/2416273585193309bcc9554e4e23bc99f44a8271.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2416273585193309bcc9554e4e23bc99f44a8271.png)
第三处SQL注入:
/app/group/action/topicedit.php
```
/编辑帖子执行
case "do":
if($_POST['token'] != $_SESSION['token']) {
tsNotice('非法操作!');
}
$topicid = intval($_POST['topicid']);
$title = trim($_POST['title']);
$typeid = intval($_POST['typeid']);
$content = cleanJs($_POST['content']);
$iscomment = intval($_POST['iscomment']);
......
if($strTopic['userid']==$userid || $strGroup['userid']==$userid || $TS_USER['user']['isadmin']==1 || $strGroupUser['isadmin']==1){
$new['group']->update('group_topic',array(
'topicid'=>$topicid,
),array(
'typeid' => $typeid,
'title'=>$title,
'content'=>$content,
'iscomment' => $iscomment,
));
```
在编辑帖子是,title和content存在注入。
证明如图:
[<img src="https://images.seebug.org/upload/201402/24162832f9db686f4d49df8ea804331ac1eba995.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/24162832f9db686f4d49df8ea804331ac1eba995.png)
第四处SQL注入:
/app/photo/action/edit.php
```
case "do":
if($_POST['token'] != $_SESSION['token']) {
tsNotice('非法操作!');
}
$photoid = intval($_POST['photoid']);
$photoname = tsClean($_POST['photoname']);
$photodesc = tsClean($_POST['photodesc']);
$new['photo']->update('photo',array(
'photoid'=>$photoid,
),array(
'photoname'=>$photoname,
'photodesc'=>$photodesc,
));
header('Location: '.tsUrl('photo','show',array('id'=>$photoid)));
break;
```
修改单个图片信息时,photoname和photodesc没有过滤,导致SQL注入。
证明如图:
[<img src="https://images.seebug.org/upload/201402/241629253b6b42745416a3f5241903cdb991d09f.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/241629253b6b42745416a3f5241903cdb991d09f.png)
第五处SQL注入
/app/tag/action/add.php
```
case "do":
$objname = tsFilter($_POST['objname']);
$idname = tsFilter($_POST['idname']);
$objid = intval($_POST['objid']);
$tags = t($_POST['tags']);
$new['tag']->addTag($objname,$idname,$objid,$tags);
tsNotice('标签添加成功!');
break;
```
在函数addTag()中:
```
$tagIndexCount = $this->findCount('tag_'.$objname.'_index',array(
$idname=>$objid,
'tagid'=>$tagid,
));
```
idname通过tsFilter()函数过滤,然后做了key,但是tsFilter()函数可被制表符顺利绕过,而key没有过滤,导致SQL注入。
证明如图:
[<img src="https://images.seebug.org/upload/201402/2416313701e8165e7621efc00a0563b4869a423e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/2416313701e8165e7621efc00a0563b4869a423e.png)
在日志中看到注入结果:
[<img src="https://images.seebug.org/upload/201402/24163150696ebfa7554a9608cc45e45713de9e44.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/24163150696ebfa7554a9608cc45e45713de9e44.png)
### 漏洞证明:
见详细说明
京公网安备 11010502034610号
暂无评论