### 简要描述:
参数过滤不严。
### 详细说明:
出现问题的地方在:/Web/Lib/Action/MemberAction.class.php
```
function qqcreate(){
$data = array_map('strval',$_POST);
$data = array_map('remove_xss',$data);
if($data['realname']=='' || $data['qid']==''){$this->error('参数错误!');exit();}
$t = M('member')->where("username='".$data['realname']."'")->find();
if(!$t){
$data['username'] = $data['realname'];
}else{
$data['username'] = (string)time();
}
$data['userpwd'] = md5(time().rand(0,9999));
$User = D("Member"); // 实例化User对象
if ($User->create()){
$this->error($User->getError());
}else{
$uid = M('member')->add($data);
$_SESSION['dami_uid'] = $uid;
$_SESSION['dami_username'] = $data['username'];
$_SESSION['dami_usericon'] = $data['icon'];
if(!empty($_REQUEST['lasturl'])){
$this->assign('jumpUrl',urldecode(htmlspecialchars($_REQUEST['lasturl'])));
}else{
$this->assign('jumpUrl',U('Member/main'));
}
$this->success('绑定成功,正在登陆~');
}
}
```
我们看到这,直接save了变量data,data是一个数组,在之前没有判断字段合法性,这样就可以修改其他字段的数据了:
```
$uid = M('member')->add($data);
```
如果我们post money=999999 可以就可以得到一个有999999元的账户,此漏洞类似于 [WooYun: 大米CMS v4.9 sql注入](http://www.wooyun.org/bugs/wooyun-2015-090532)
[<img src="https://images.seebug.org/upload/201504/08231851710b68dd274f654ee66eb71e905a0e05.png" alt="屏幕快照 2015-04-08 下午11.18.41.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/08231851710b68dd274f654ee66eb71e905a0e05.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201504/08232016d520f3b94493b5038f393a3bed8d2b5a.png" alt="屏幕快照 2015-04-08 下午11.18.41.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/08232016d520f3b94493b5038f393a3bed8d2b5a.png)
京公网安备 11010502034610号
暂无评论