PHPB2B注入#4(绕过过滤)

### 简要描述： 绕过全局sql注入过滤。 ### 详细说明： ``` function Add($primary_id, $form_attributes, $form_id=1, $type_id = 1) { $datas = array(); $inserts = null; $reurn_attribute_ids = null; $form_attributes = array_filter($form_attributes); if (!empty($form_attributes) && is_array($form_attributes)) { foreach ($form_attributes as $key=>$val) { //foreach遍历form_attributes数组 if($attribute_id = $this->dbstuff->GetOne("SELECT id FROM {$this->table_prefix}formattributes f WHERE primary_id={$primary_id} AND formitem_id={$key} AND type_id={$type_id} AND form_id={$form_id}")){ //$key为数组键名，没有过滤就直接进入了sql语句 $this->dbstuff->Execute("UPDATE {$this->table_prefix}formattributes SET attribute='{$val}' WHERE primary_id={$primary_id} AND formitem_id={$key} AND type_id={$type_id} AND form_id={$form_id}"); }else{ $datas[] = "(".$type_id.",".$form_id.",".$key.",".$primary_id.",'".$val."')"; } } ``` 搜索Add函数找到几处可以利用的地方: ``` \virtual-office\offer.php (2 hits) Line 291: $item_ids = $form->Add($id,$_POST['data']['formitem']); Line 321: $item_ids = $form->Add($last_trade_id, $_POST['data']['formitem']); \virtual-office\product.php (2 hits) Line 62: $item_ids = $form->Add($id,$_POST['data']['formitem'], $form_id, $form_type_id); Line 77: $item_ids = $form->Add($product_id, $_POST['data']['formitem'], $form_id, $form_type_id); ``` 因为注入点是在数组键名，而phpb2b恰好只对值进行了过滤，没处理键名，所以可直接进行sql注射，同时也不用考虑GPC的影响。 ### 漏洞证明： 注册会员发布一个供求信息，然后编辑: [<img src="https://images.seebug.org/upload/201501/221017045d576e5f3d79fd8f751aeca67f6cf4ef.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/221017045d576e5f3d79fd8f751aeca67f6cf4ef.png) 修改好参数提交。 sql日志: [<img src="https://images.seebug.org/upload/201501/22101715b39c65943411788e34fbf6752cd77b93.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/22101715b39c65943411788e34fbf6752cd77b93.png)