Thinksaas 越权+SQL注入#1

### 简要描述： Thinksaas SQL注入#1 ### 详细说明： /app/article/action/edit.php ``` case "do" : $articleid = intval ( $_POST ['articleid'] ); $cateid = intval ( $_POST ['cateid'] ); $title = tsClean ( $_POST ['title'] );//过滤 $content = tsClean ( $_POST ['content'] );//过滤 if ($TS_USER ['user'] ['isadmin'] == 0) { // 过滤内容开始 aac ( 'system' )->antiWord ( $title );//过滤垃圾词 aac ( 'system' )->antiWord ( $content );//过滤过滤垃圾词 // 过滤内容结束 } if ($title == '' || $content == '') qiMsg ( "标题和内容都不能为空！" ); $new ['article']->update ( 'article', array ( 'articleid' => $articleid ) , array ( 'cateid' => $cateid, 'title' => $title, 'content' => $content ) ); ``` 跟进tsClean，/thinksaas/tsFunction.php： ``` function tsClean($text) { $text = cleanJs ( $text ); return $text; } function cleanJs($text) { $text = trim ( $text ); $text = stripslashes ( $text ); // 完全过滤注释 $text = preg_replace ( '/<!--?.*-->/', '', $text ); // 完全过滤动态代码 $text = preg_replace ( '/<\?|\?>/', '', $text ); // 完全过滤js $text = preg_replace ( '/<script?.*\/script>/', '', $text ); // 过滤多余html $text = preg_replace ( '/<\/?(html|head|meta|link|base|body|title|style|script|form|iframe|frame|frameset)[^><]*>/i', '', $text ); // 过滤on事件lang js while ( preg_match ( '/(<[^><]+)(lang|onfinish|onmouse|onexit|onerror|onclick|onkey|onload|onchange|onfocus|onblur)[^><]+/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1], $text ); } while ( preg_match ( '/(<[^><]+)(window\.|javascript:|js:|about:|file:|document\.|vbs:|cookie)([^><]*)/i', $text, $mat ) ) { $text = str_replace ( $mat [0], $mat [1] . $mat [3], $text ); } return $text; } ``` 最后是cleanjs函数进行过滤。 最后进入update函数： ``` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition );//转义 $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "`$key` = '$value'";//未转义，直接带入，注入 } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); } ``` 而且从这里看出，在修改文章时，没有判断文章的用户属性，即此文章是谁发表的。 导致任意用户文章修改。 ### 漏洞证明： 我们注册一个用户222222. 修改用户111111发表的文章。 [<img src="https://images.seebug.org/upload/201312/19114230f2a0f5252209734fb1016d759dda7ba8.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/19114230f2a0f5252209734fb1016d759dda7ba8.png) 查看结果 [<img src="https://images.seebug.org/upload/201312/19114248a912a7d60749a61b3800adbd4e8eb3b4.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/19114248a912a7d60749a61b3800adbd4e8eb3b4.png) 111111发表的文章被我们修改了，且成功注入。