EasyTalk Sql Injection 11-15

### 简要描述： 过滤不严。 ### 详细说明： 注入11： 在friendsaction.class.php中 public function _initialize() { parent::init(); parent::tologin(); import("@.ORG.Page"); $this->fModel=D('Friend'); $this->uModel=D('Users'); $username=$this->_get('username'); $this->keyword=trim($this->_get('keyword')); $this->keyword=$this->keyword==L('inputfollowaccount')?'':$this->keyword; if (!$username || $username==$this->my['user_name']) { $this->user=$this->my; } else { $this->user=$this->uModel->where("user_name='$username'")->find(); } $username=$this->_get('username'); 未过滤 $this->user=$this->uModel->where("user_name='$username'")->find(); 查询。 [<img src="https://images.seebug.org/upload/201402/06171546db7f7ed65aee9709c9ca96ff59c645df.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06171546db7f7ed65aee9709c9ca96ff59c645df.jpg) 所执行的语句。 [<img src="https://images.seebug.org/upload/201402/0617155784468cb4a2481daf97c34b7db7391ca9.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/0617155784468cb4a2481daf97c34b7db7391ca9.jpg) 延时成功 [<img src="https://images.seebug.org/upload/201402/06171613467cd2a36f806c8ba047c0817c5bf952.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06171613467cd2a36f806c8ba047c0817c5bf952.jpg) 注入12： 在Imaction.class.php中 ``` public function getDayRecord() { $uid=$_POST['user_id']; $user=M('Users')->where("user_id='$uid'")->find(); if ($user) { $info=getsubstr($user['user_info'],0,50); $info=$info?$info:L('nothing_write'); $data = D('MessagesView')->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->order("message_id DESC")->limit(10)->select(); ``` 无过滤。$uid=$_POST['user_id']; $user=M('Users')->where("user_id='$uid'")->find(); 带入查询。 延时注入。 同文件 一样的 //定时获得最新内容 ``` public function timeResponse() { if ($this->my['priread']>0) { $data = D('MessagesView')->where("sendtouid='".$this->my['user_id']."' AND isread=0")->select(); if ($data) { $aCent=A('Content'); foreach ($data as $val) { $val['messagebody']=$aCent->ubb($val['messagebody']); $val['sendtime']=timeop($val['sendtime']); $newMessage[]=$val; } } //标记已读 $currentuid=$_POST['currentuid']; M('Messages')->where("senduid='$currentuid' AND sendtouid='".$this->my['user_id']."'")->setField('isread',1); $count=M('Messages')->where("sendtouid='".$this->my['user_id']."' AND isread=0")->count(); if ($count==0) { M('Users')->where("user_id='".$this->my['user_id']."'")->setField('priread',0); } } echo json_encode(array('newMessage'=>$newMessage)); ``` img src="https://images.seebug.org/upload/201402/061735055282f7ea9fe907392a6c191d77c96243.jpg" alt="1.jpg" /> 所执行的语句 [<img src="https://images.seebug.org/upload/201402/061735420aa524ef5562a1122c2335faeb58afff.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/061735420aa524ef5562a1122c2335faeb58afff.jpg) 延时 [<img src="https://images.seebug.org/upload/201402/06173629651aca16c9312b1258976f8b581140b5.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06173629651aca16c9312b1258976f8b581140b5.jpg) 注入13： 在indexaction.class.php中 ``` public function checkreset() { $uModel=D('Users'); $urldata=$_REQUEST['urldata']; parse_str(base64_decode($urldata));//变量覆盖 if (time()-$dateline>3600*5) { setcookie('setok', json_encode(array('lang'=>L('reset3'),'ico'=>2)),0,'/');//该地址已经过期，请重新“找回密码” header('location:'.SITE_URL.'/?m=index&a=reset'); exit; } else { $user=$uModel->getUser("user_id='$user_id' AND user_name='$user_name' AND mailadres='$mailadres'"); if (!$user['user_id']) { setcookie('setok', json_encode(array('lang'=>L('reset4'),'ico'=>2)),0,'/');//地址验证失败，请重新“找回密码” header('location:'.SITE_URL.'/?m=index&a=reset'); exit; } } ``` time()-$dateline>3600*5 这里做了验证。 那么就直接覆盖掉$dataline 然后让他小于3600*5 就让$dataline越大越好。 $user=$uModel->getUser("user_id='$user_id' AND user_name='$user_name' AND mailadres='$mailadres'"); 这里带入了查询 干脆就来覆盖掉$user_id 来形成注入 [<img src="https://images.seebug.org/upload/201402/06182004327142e9562ce7265460e0c619ee64b2.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06182004327142e9562ce7265460e0c619ee64b2.jpg) 这里 变量覆盖。 所执行的语句 [<img src="https://images.seebug.org/upload/201402/06182020641fa84597d58c85640192cf0d1d6906.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06182020641fa84597d58c85640192cf0d1d6906.jpg) 延时成功 可注入 [<img src="https://images.seebug.org/upload/201402/06182043cc56e1a4972abcf88e984693312e68d2.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06182043cc56e1a4972abcf88e984693312e68d2.jpg) 注入14： ``` public function showmore() { $nowpage=$_GET['nowpage']; $oricid=$_GET['oricid']; $uid=$_GET['uid']; if ($nowpage) { $photos=M('Content')->where("user_id='$uid' AND FIND_IN_SET('p',filetype)")->order('content_id ASC')->limit(($nowpage*9-9).',9')->select(); if ($photos) { ``` 如果$nowpage 为true 则带入查询 无过滤。 SELECT * FROM `et_content` WHERE user_id='aa' AND FIND_IN_SET('p',filetype) ORDER BY content_id ASC LIMIT 1098,9 所执行的语句 构造之 [<img src="https://images.seebug.org/upload/201402/061833310f2bebfd68673cfce62e7705ec67a1c5.jpg" alt="PHUY61@KJRJOZDOXB%D{DZC.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/061833310f2bebfd68673cfce62e7705ec67a1c5.jpg) Success。 注入15： 在spaceaction.class.php中 ``` public function home(){ $cview=D('ContentView'); $t=$_GET['t']?$_GET['t']:'a'; $type=$_GET['type']?$_GET['type']:'home'; $group=$_GET['group']?$_GET['group']:'0'; $gid=$_GET['gid']; $hq=$_GET['hq'];//无过滤 $dt=$_GET['dt']; //搜索条件 $condition=' AND replyid=0'; if (in_array($t,array('p','m','v'))) { $condition=" AND FIND_IN_SET('{$t}',filetype)"; } else if ($t=='o') { $condition=' AND retid=0'; } else if ($t=='r') { $condition=' AND retid!=0'; } if ($hq) {//关键词搜索 $condition.=' AND content_body LIKE "%'.$hq.'%"'; } if ($dt) {//时间搜索 $stime=strtotime($dt.' 00:00:00'); $condition.=' AND posttime>='.$stime.' AND posttime<='.($stime+86400); ``` 带入条件。 if ($hq) {//关键词搜索 $condition.=' AND content_body LIKE "%'.$hq.'%"'; 然后查询。 执行的时候 SELECT Content.content_id AS content_id,Content.content_body AS content_body,Content.posttime AS posttime,Content.type AS type,Content.filetype AS filetype,Content.retid AS retid,Content.replyid AS replyid,Content.replytimes AS replytimes,Content.zftimes AS zftimes,Content.pinbi AS pinbi,Content.zhiding AS zhiding,Content.praisetimes AS praisetimes,Plugins.name AS appname,Plugins.directory AS directory,Plugins.available AS available,Plugins.type AS apptype,Users.user_id AS user_id,Users.user_name AS user_name,Users.nickname AS nickname,Users.user_head AS user_head,Users.user_auth AS user_auth,Users.provinceid AS provinceid,Users.cityid AS cityid FROM et_content Content ignore index(replyid) LEFT JOIN et_plugins Plugins ON Content.type=Plugins.directory LEFT JOIN et_users Users ON Content.user_id=Users.user_id LEFT JOIN et_friend Friend ON Content.user_id=Friend.fid_jieshou AND Friend.fid_fasong=2 WHERE (Content.user_id='2' OR fid_fasong='2') AND replyid=0 AND content_body LIKE "%a%" ORDER BY Content.posttime DESC LIMIT 0,20 构造一下 [<img src="https://images.seebug.org/upload/201402/06185337f627f42e6c38850667e161de28fd0c88.jpg" alt="8M0MREE1LZ%P8V8CP]MC%F6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/06185337f627f42e6c38850667e161de28fd0c88.jpg) 注入成功 有图 有真相。 ### 漏洞证明：