ThinkSAAS SQL注入漏洞

### 简要描述： ThinkSAAS SQL注入漏洞 ### 详细说明： 问题在上传附件处，/app/photo/action/do.php： ``` //上传 $arrUpload = tsUpload($_FILES['Filedata'],$photoid,'photo',array('jpg','gif','png')); if($arrUpload){ $new['photo']->update('photo',array( 'photoid'=>$photoid, ),array( 'photoname'=>tsClean($arrUpload['name']),//没有过滤，导致SQL注入 'phototype'=>tsClean($arrUpload['type']), 'path'=>tsClean($arrUpload['path']), 'photourl'=>tsClean($arrUpload['url']), 'photosize'=>tsClean($arrUpload['size']), )); } ``` 然后我们我们看到photoname等都没有过滤。 跟进tsUpload函数，/thinksaas/tsFunction.php： ``` function tsUpload($files, $projectid, $dir, $uptypes) { if ($files ['size'] > 0) { $menu2 = intval ( $projectid / 1000 ); $menu1 = intval ( $menu2 / 1000 ); $path = $menu1 . '/' . $menu2; $dest_dir = 'uploadfile/' . $dir . '/' . $path; createFolders ( $dest_dir ); $arrType = explode ( '.', strtolower ( $files ['name'] ) ); // 转小写一下 $type = array_pop ( $arrType ); if (in_array ( $type, $uptypes )) { $name = $projectid . '.' . $type; $dest = $dest_dir . '/' . $name; // 先删除 unlink ( $dest ); // 后上传 move_uploaded_file ( $files ['tmp_name'], mb_convert_encoding ( $dest, "gb2312", "UTF-8" ) ); chmod ( $dest, 0777 ); $filesize = filesize ( $dest ); if (intval ( $filesize ) > 0) { return array ( 'name' => $files ['name'], 'path' => $path, 'url' => $path . '/' . $name, 'type' => $type, 'size' => $files ['size'] ); } else { return false; } } else { return false; } } } ``` 看到传入的$files ['name']没有过滤，人后就return了。 最后看看update的处理： ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 全程没有过滤，导致SQL注入。 ### 漏洞证明： 我们在资料处，新建一个资料库。 然后再次资料库上传文件，抓包，修改文件名字为： ``` 123.jpg',`attachtype`=user()#a.txt ``` 或者新建一个以上面内容为文件名的文件，直接上传即可。 看看结果： [<img src="https://images.seebug.org/upload/201401/06185918f67bad88dd7626a07ab66b89440ca1e7.png" alt="w5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/06185918f67bad88dd7626a07ab66b89440ca1e7.png) attachtype参数，即类型被修改了。