Thinksaas SQL注入#4

### 简要描述： Thinksaas SQL注入#4 ### 详细说明： 编辑图片信息： ``` /app/photo/action/edit.php ``` ``` case "do": if($_POST['token'] != $_SESSION['token']) { tsNotice('非法操作！'); } $photoid = intval($_POST['photoid']); $photoname = tsClean($_POST['photoname']); $photodesc = tsClean($_POST['photodesc']); $new['photo']->update('photo',array( 'photoid'=>$photoid, ),array( 'photoname'=>$photoname, 'photodesc'=>$photodesc, )); header('Location: '.tsUrl('photo','show',array('id'=>$photoid))); break; ``` 跟进tsClean： ``` function cleanJs($text) { $text = trim ( $text ); $text = stripslashes ( $text ); // 完全过滤注释 $text = preg_replace ( '/<!--?.*-->/', '', $text ); // 完全过滤动态代码 $text = preg_replace ( '/<\?|\?>/', '', $text ); // 完全过滤js $text = preg_replace ( '/<script?.*\/script>/', '', $text ); // 过滤多余html $text = preg_replace ( '/<\/?(html|head|meta|link|base|body|title|style|script|form|iframe|frame|frameset)[^><]*>/i', '', $text ); // 过滤on事件lang js while ( preg_match ( '/(<[^><]+)(lang|onfinish|onmouse|onexit|onerror|onclick|onkey|onload|onchange|onfocus|onblur)[^><]+/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1], $text ); } while ( preg_match ( '/(<[^><]+)(window\.|javascript:|js:|about:|file:|document\.|vbs:|cookie)([^><]*)/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1] . $mat [3], $text ); } return $text; } /** * 输入安全过滤 * @param unknown $text * @return mixed */ function tsClean($text) { $text = cleanJs ( $text ); return $text; } ``` 同样过滤js相关内容，其他的没过滤 跟进update： ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` row内容没有过滤，导致sql注入。 ### 漏洞证明： 第一步，上传一张照片 第二步，修改照片信息： [<img src="https://images.seebug.org/upload/201312/201424273a9cbaf403bdcb0dd9144e998d771774.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/201424273a9cbaf403bdcb0dd9144e998d771774.png) 第三步，抓包，修改post数据，如图： [<img src="https://images.seebug.org/upload/201312/20142452f72f9392d18a6ed2437cc5e90d2a3096.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/20142452f72f9392d18a6ed2437cc5e90d2a3096.png) 最后图片的描述信息就会被修改成user()信息。