kppw威客系统SQL注入一枚

### 简要描述： rt ### 详细说明： 注册处。 ``` function check_all($reg_username, $reg_email, $reg_code) { global $_lang,$_K; $res1 = $this->check_ip (); if($_K['do']){ $url = 'index.php?do='.$_K['do']; }else{ $url = 'index.php?do=register'; } $res1 === true or $result = $res1; $res2 = $this->check_username ( $reg_username ); $res2 === true or $result = $res2; $res3 = $this->check_email ( $reg_email ); $res3 === true or $result = $res3; if ($this->_check_code == true) { $res4 = $this->check_code ( $reg_code ); $res4 === true or $result = $res4; } if($result){ return $result; }else{ return true; } } ``` 看到 check_ip ``` function check_ip() { global $_lang; $check_time = time () - $this->_sys_config ['reg_limit'] * 60; $this->_space_obj->setWhere ( "reg_ip = '$this->_reg_ip' and $check_time< reg_time" ); $res = $this->_space_obj->query_keke_witkey_space (); ``` $this->_reg_ip = kekezu::get_ip (); get_ip ``` static function get_ip() { global $_lang; if (! empty ( $_SERVER ["HTTP_CLIENT_IP"] )) $cip = $_SERVER ["HTTP_CLIENT_IP"]; else if (! empty ( $_SERVER ["HTTP_X_FORWARDED_FOR"] )) $cip = $_SERVER ["HTTP_X_FORWARDED_FOR"]; else if (! empty ( $_SERVER ["REMOTE_ADDR"] )) $cip = $_SERVER ["REMOTE_ADDR"]; else $cip = $_lang ['can_not_get']; return $cip; } ``` 可以伪造恶意的 X-Forwarded-For Header 像这样， [<img src="https://images.seebug.org/upload/201407/0418451194eb90a61ce2088b4dd13481b981750d.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0418451194eb90a61ce2088b4dd13481b981750d.jpg) [<img src="https://images.seebug.org/upload/201407/04184527cfe51626582d9ff35e08b28e7bb03a38.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04184527cfe51626582d9ff35e08b28e7bb03a38.jpg) [<img src="https://images.seebug.org/upload/201407/0418454157605ab838788bdf2a5fdc8410136d09.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0418454157605ab838788bdf2a5fdc8410136d09.jpg) 猜测管理员username第一个字符为a。延时成功 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/0418454157605ab838788bdf2a5fdc8410136d09.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0418454157605ab838788bdf2a5fdc8410136d09.jpg)