### 简要描述:
TCCMS SQL注入漏洞3(盲注)
### 详细说明:
在删除文章时:
app/controller/news.class.php
```
public function delete() {
$_Obj = M($this->objName);
$newsObj = M("content");
$msgObj = new Msg();
$id = $_GET['id'];
$idAry = $_POST['id'];//注入
$idStr = count($idAry) == 0 ? intval($id) : implode(",", $idAry);
$newIdAry = explode(",", $idStr);
$idSize = count($newIdAry);
if (empty($newIdAry[0]) && empty($id)) {
$msgObj->addMsg('error', Config::lang("PLEASECHOOSEDELETEDATA"));
}
for ($i = 0; $i < $idSize; $i++) {
$news = get("news",$newIdAry[$i]);
if (Authen::checkIsSelfData($news->uid)) {
$newsObj->deleteById($newIdAry[$i]);
$_Obj->deleteById($newIdAry[$i]);
} else {
$msgObj->addMsg('error', Config::lang("CANBEDELNOTSELFNEWS"));
}
}
if (!$msgObj->hasMsg) {
$newsObj->delete();
$_Obj->delete();
}
header('Location: index.php?ac=news_all&type=user&page='.$_GET["page"]);
exit;
}
```
跟进deleteById。system/core/model.class.php:
```
public function deleteById($id) {
$this->db->Delete($this->table, $this->PRI, $id);
}
```
POST的id未过滤。
### 漏洞证明:
先看看我们的文章:
[<img src="https://images.seebug.org/upload/201401/09154853cd227d97a5602da34ff54b3ab1b2d24c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09154853cd227d97a5602da34ff54b3ab1b2d24c.png)
然后我们构造错误的语句,来删除:
[<img src="https://images.seebug.org/upload/201401/09154912323f468114d11329ca47be19af6c5d19.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09154912323f468114d11329ca47be19af6c5d19.png)
虽然会提示成功删除一个文章,但实际上文章并没有被删除,条件不成立。
构造正确的条件:
[<img src="https://images.seebug.org/upload/201401/09155004cc8a16110d6705918bb0c95122c11717.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09155004cc8a16110d6705918bb0c95122c11717.png)
文章被成功删除。
数据库记录:
[<img src="https://images.seebug.org/upload/201401/09155114d4954758fad00eed16a4c612ee92c613.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/09155114d4954758fad00eed16a4c612ee92c613.png)
京公网安备 11010502034610号
暂无评论