Z-Blog PHP版之三低权限管理员POST注入

### 简要描述： 注册个评论者账号就能注到管理员 ### 详细说明： 木有找到你们接受POST变量的函数在哪，所以认为问题出在/zb_system/function/lib/dbsql.php ``` public function ParseWhere($where){ global $zbp; $sqlw=null; if(!empty($where)) { $sqlw .= ' WHERE '; $comma = ''; foreach($where as $k => $w) { $eq=$w[0]; if($eq=='='|$eq=='<'|$eq=='>'|$eq=='LIKE'|$eq=='<>'|$eq=='!='){ $x = (string)$w[1]; $y = (string)$w[2]; $y = $zbp->db->EscapeString($y); $sqlw .= $comma . " $x $eq '$y' "; } if($eq=='BETWEEN'){ $b1 = (string)$w[1]; $b2 = (string)$w[2]; $b3 = (string)$w[3]; $sqlw .= $comma . " $b1 BETWEEN '$b2' AND '$b3' "; } if($eq=='search'){ $j=count($w); $sql_search=''; $c=''; for ($i=1; $i <= $j-1-1; $i++) { $x=(string)$w[$i]; $y=(string)$w[$j-1]; $y=$zbp->db->EscapeString($y); $y=$w[$j-1]; $sql_search .= $c . " ($x LIKE '%$y%') "; $c='OR'; } $sqlw .= $comma . '(' . $sql_search . ')'; } if($eq=='array'){ $c=''; $sql_array=''; if(!is_array($w[1]))continue; if(count($w[1])==0)continue; foreach ($w[1] as $x=>$y) { $y[1]=$zbp->db->EscapeString($y[1]); $sql_array .= $c . " $y[0]='$y[1]' "; $c='OR'; } $sqlw .= $comma . '(' . $sql_array . ')'; } if($eq=='custom'){ $sqlw .= $comma . '(' . $w[1] . ')'; } $comma = 'AND'; } } echo $sqlw;//顺便把SQL语句ehco 出来,你们的拼接写得好蛋疼 return $sqlw; } ``` [<img src="https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg) 注入方法的利用和这个一样 [WooYun: Z-Blog的php版前台正则SQL盲注漏洞](http://www.wooyun.org/bugs/wooyun-2013-037956) ，拿sqlmap跑一下就出来了 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg)