Youyax 二次注入

### 简要描述： 最新版。 ### 详细说明： 在lib/indexaction.php中 ``` public function saveself() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); $face = addslashes($_POST['face']); mysql_query("update " . C('db_prefix') . "user set face='" . $face . "' where user='" . $user . "'"); mysql_query("update " . C('db_prefix') . "talk set face='" . $face . "' where zuozhe='" . $user . "'"); mysql_query("update " . C('db_prefix') . "reply set face1='" . $face . "' where zuozhe1='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark2 set pic='" . $face . "' where marker='" . $user . "'"); mysql_query("update " . C('db_prefix') . "mark1 set pic='" . $face . "' where marker='" . $user . "'"); $this->assign('jumpurl', $this->youyax_url . "/Index" . C('default_url') . "self" . C('static_url'))->assign('msgtitle', '操作成功')->assign('message', '图片更新成功！')->success(); } ``` 依旧是这里入库 虽然$face经过了addslashes一次 但是入库后转义符会消失 找找出库的地方。 0x01 lib/contentaction.php中 ``` public function mark() { $mix = require("./Conf/mix.config.php"); if ($mix['is_limit_time']) { if (!LimitAction::limit_time($mix['limit_time'])) { $this->assign("msgtitle", "操作限制!")->assign("message", "在" . $mix['limit_time'] . "秒内不能发帖和回帖！")->assign("jumpurl", C('SITE'))->error(); } } $tid = intval($_POST['id']); if (!is_numeric($tid)) { $this->assign("msgtitle", "操作错误!")->assign("message", "点评序号不为非数字!")->assign("jumpurl", C('SITE'))->error(); } $rid = intval($_POST['id2']); $mid = intval($_POST['mid']); $content = filter_var($_POST['t'], FILTER_CALLBACK, array( "options" => "filter_function" )); $content = nl2br(addslashes(htmlspecialchars($content, ENT_QUOTES,"UTF-8"))); $reply_u = addslashes($_POST['reply_u']); ``` ``` if (empty($rid)) { $user = $this->find(C('db_prefix') . "user", "string", "user='" . $marker . "'");//这里出库 $pic = $user['face'];//出库 /*$result = $this->find(C('db_prefix') . "mark1", "string", "tid=" . $tid . " and marker='" . $marker . "'"); if ($result) { echo "<script>alert('您不能重复点评');</script>"; } else {*/ if (!empty($reply_u)) { $res = $this->find(C('db_prefix') . "mark1", "string", "marker='" . $reply_u . "' and id=" . $mid); if ($res) { $content = "<span style=\'vertical-align:top;display:inline-block;*display:inline;\'>" . $_SESSION['youyax_user'] . " @ " . $reply_u . " ：</span><span style=\'display:inline-block;*display:inline;\'>" . $content . "</span>"; } else { $this->assign("code", "操作错误!")->assign("msg", "非法操作")->display("Public/exception.html"); echo "<script>setTimeout(function(){window.parent.location.href='" . $this->youyax_url . "/Content" . C('default_url') . "index" . C('default_url') . "id" . C('default_url') . $tid . C('static_url') . "#p" . $num2 . "';},3000)</script>"; exit; } } mysql_query("insert into " . C('db_prefix') . "mark1(tid,marker,pic,count,content,time) values(" . $tid . ",'" . $marker . "','" . $pic . "',1,'" . $content . "',now())")//$pic带入查询; ``` 出库后就直接带入到了查询当中 造成了注入。 [<img src="https://images.seebug.org/upload/201406/071201518100aa8b74d0aea58ea4eaed565cbece.jpg" alt="y4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/071201518100aa8b74d0aea58ea4eaed565cbece.jpg) [<img src="https://images.seebug.org/upload/201406/07120251bfe20b78aae0a03c2a0aa9ea25ca6322.jpg" alt="y5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/07120251bfe20b78aae0a03c2a0aa9ea25ca6322.jpg) 成功引入单引号 可以注入了。 ### 漏洞证明： 见说明。