ThinkSAAS SQL注入#6

### 简要描述： ThinkSAAS SQL注入#6 ### 详细说明： thinksaas在添加标签处，由于不完全的过滤，以及特殊的构造拼接导致sql注入。 在/app/tag/action/add.php文件： ``` case "do": $objname = t($_POST['objname']); $idname = t($_POST['idname']); $objid = intval($_POST['objid']); $tags = t($_POST['tags']); $new['tag']->addTag($objname,$idname,$objid,$tags); tsNotice('标签添加成功！'); break; ``` 注意这里的$objname参数。然后，跟进t函数： ``` function t($text) { $text = preg_replace ( '/\[.*?\]/is', '', $text ); $text = cleanJs ( $text ); // 彻底过滤空格BY QINIAO $text = preg_replace ( '/\s(?=\s)/', '', $text ); $text = preg_replace ( '/[\n\r\t]/', ' ', $text ); $text = str_replace ( ' ', ' ', $text ); // $text = str_replace ( ' ', '', $text ); $text = str_replace ( ' ', '', $text ); $text = str_replace ( '&', '', $text ); $text = str_replace ( '=', '', $text ); $text = str_replace ( '-', '', $text ); $text = str_replace ( '#', '', $text ); $text = str_replace ( '%', '', $text ); $text = str_replace ( '!', '', $text ); $text = str_replace ( '@', '', $text ); $text = str_replace ( '^', '', $text ); $text = str_replace ( '*', '', $text ); $text = str_replace ( 'amp;', '', $text ); $text = str_replace ( 'position', '', $text ); $text = strip_tags ( $text ); $text = htmlspecialchars ( $text ); $text = str_replace ( "'", "", $text ); return $text; } ``` 然后，跟进addTag函数： ``` $tagIdCount = $this->findCount("tag_".$objname."_index",array( 'tagid'=>$tagData['tagid'], )); $count_obj = "count_".$objname; $this->update('tag',array( 'tagid'=>$tagData['tagid'], ),array( $count_obj=>$tagIdCount, 'uptime'=>$uptime, )); ``` 看到这里的$objname参数带入了$count_obj中，然后进入了sql语句update中。 ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 这里在处理sql语句时，在key上使用了反引号。 而这里的key使我们输入的$objname参数拼接起来的，正好从上面的过滤来看，没有过滤掉反引号。 导致在key这里造成注入。 ### 漏洞证明： 构造请求，在$objname处添加反引号，查看sql执行日志： [<img src="https://images.seebug.org/upload/201312/23180410301c0680b7bf779f62c2efefdecf408e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/23180410301c0680b7bf779f62c2efefdecf408e.png) 反引号被成功带入到了update时的key中。