### 简要描述:
在修复http://www.wooyun.org/bugs/wooyun-2014-068153漏洞时候,处理不当,治标不治本。
### 详细说明:
```
public static function getIP()
{
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
elseif (isset($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"];
elseif (isset($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"];
elseif (getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR");
elseif (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
elseif (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");
else $ip = "Unknown";
return $ip;
}
```
之前漏洞中对getip并未做修改,而是对/controller/controller_class.php文件中添加了ip判断,但是使用getip的还有另外一个点(仅剩下此处了)
在protected\classes\Log.php中
```
public static function op($manager_id,$action,$content)
{
$logs = array('manager_id'=>$manager_id,'action'=>$action,'content'=>$content,'ip'=>Chips::getIP(),'url'=>Url::requestUri(),'time'=>date('Y-m-d H:i:s'));
$model = new Model('log_operation');
$model->data($logs)->insert();
}
```
因此所有使用log::op操作的函数都存在注入。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201409/111055556697c79245538971bf0c381d9b4e27df.png" alt="4444.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/111055556697c79245538971bf0c381d9b4e27df.png)
[<img src="https://images.seebug.org/upload/201409/111056086ed218059fd09dad36db7c9422ec4401.png" alt="555.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/111056086ed218059fd09dad36db7c9422ec4401.png)
京公网安备 11010502034610号
暂无评论