phpmps 某处存在sql注入（鸡肋）

### 简要描述： phpmps 某处存在sql二次注入 ### 详细说明： phpmps_v2.3_build121113_utf8 在用户注册时候，虽然做了转移，但是存储到数据库的时候转义符被去掉，从而造成sql二次注入，登陆后跳转截图 [<img src="https://images.seebug.org/upload/201401/1113262722237f93c30d399bcffe8d1e1fb84742.png" alt="ss.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1113262722237f93c30d399bcffe8d1e1fb84742.png) 点击左侧的购买信息币处： [<img src="https://images.seebug.org/upload/201401/111327548ba6c1060516e67220b6c21e866b3a3c.png" alt="qq.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/111327548ba6c1060516e67220b6c21e866b3a3c.png) 此处有两处，都是从数据库直接取出来用户名，做用户查询所用: 在member.php里面： ``` 526 case 'act_gold': 527 $type = $_POST['type']; 528 $number = $type == 'money2gold' ? intval($_POST['m_number']) : intval($_POST['c_number']); 529 530 if($number <= 0)showmsg('数量必须大于0'); 531 $userinfo = member_info($_userid); 532 $_credit = $number * $CFG['credit2gold']; 533 $_money = $number * $CFG['money2gold']; 534 535 if($type == 'money2gold') { 536 if($_money > $userinfo['money']) showmsg('您的资金不足以支付此次购买'); 537 money_diff($_username, $_money, $type); 538 } else { 539 if($_credit > $userinfo['credit']) showmsg('您的积分不足以支付此次购买'); 540 credit_diff($_username, $_credit, $type); 541 } 542 gold_add($_username, $number, $type); 543 showmsg('购买信息币成功' , 'member.php?act=gold'); 544 break; ``` 追踪到相关函数： ``` 21 function gold_diff($username, $number, $note = '', $authid = '') 22 { 23 global $db, $table; 24 $number = intval($number); 25 if($number < 0) showmsg('数量不能小于0'); 26 $note = addslashes($note); 27 $r = member_info($username,'2'); 28 if(!$r) showmsg('不存在此用户'); 29 extract($r); 30 $time = time(); 31 $ip = get_ip(); 32 if($number > $gold) showmsg('您的金额不够支付'); 33 $db->query("UPDATE {$table}member SET gold=gold-$number WHERE username='$username'"); 34 $db->query("INSERT INTO {$table}pay_exchange (`username`,`type`,`value`,`note`,`addtime`,`ip`) VALUES('$username','g old','-".$number."','$note','$time','$ip')"); ``` ``` 43 function credit_add($username, $number, $note = '') 44 { 45 global $db, $table; 46 $number = intval($number); 47 if($number < 0) showmsg('数量不能小于0'); 48 $db->query("UPDATE {$table}member SET credit=credit+$number WHERE username='$username'"); 49 $note = addslashes($note); 50 $time = time(); 51 $ip = get_ip(); 52 if($db->affected_rows() == 0) showmsg('添加失败'); 53 $db->query("INSERT INTO {$table}pay_exchange (`username`,`type`,`value`,`note`,`addtime`,`ip`) VALUES('$username','c redit','$number','$note','$time','$ip')"); 54 } ``` 由此可见两处都没有对从数据库取出来的参数进行过滤，所以导致sql注入 ### 漏洞证明： 在资金购买信息币处，验证处sql报错，后面的利用就不用多说了，很简单 [<img src="https://images.seebug.org/upload/201401/11133440e164e5b0345419640eba864425575b99.png" alt="y1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/11133440e164e5b0345419640eba864425575b99.png) 显示: MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => select * from phpmps_member where username='jkgh009'' ) [2] => Array ( [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''jkgh009''' at line 1 ) [3] => Array ( [errno] => 1064 ) )