Vicworl过滤不严造成注入

  • A+
所属分类:漏洞时代
摘要

因为get_client_ip()是直接取值的然后出现在文件/ajax.php、register.php、/library/global.inc.php、/library/module/user/article.php、/library/module/user/leaveword.php文件里面
其中的
/ajax.php

因为get_client_ip()是直接取值的

function get_client_ip( ) {     if ( getenv( "HTTP_CLIENT_IP" ) )     {         $_obfuscate_Xiw36fNBySKi = getenv( "HTTP_CLIENT_IP" );         return $_obfuscate_Xiw36fNBySKi;     }     if ( getenv( "HTTP_X_FORWARDED_FOR" ) )     {         $_obfuscate_Xiw36fNBySKi = getenv( "HTTP_X_FORWARDED_FOR" );         return $_obfuscate_Xiw36fNBySKi;     }     if ( getenv( "REMOTE_ADDR" ) )     {         $_obfuscate_Xiw36fNBySKi = getenv( "REMOTE_ADDR" );         return $_obfuscate_Xiw36fNBySKi;     }     $_obfuscate_Xiw36fNBySKi = $_obfuscate_JcJqqO21rjSw7UE886oo['REMOTE_ADDR'];     return $_obfuscate_Xiw36fNBySKi; }

然后出现在文件/ajax.php、register.php、/library/global.inc.php、/library/module/user/article.php、/library/module/user/leaveword.php文件里面
其中的
/ajax.php

case "AddVideoComment" :     if ( empty( $vicworl_uid ) )     {         echo "<script>alert('请先登陆!');</script>";         exit( );     }   ......................       if ( $_VCACHE['setting']['commentauditing'] == 1 )     {         $id *= -1;         $tmpSTR = "评论成功!待审核后即可显示!";     }     $strSQL = "insert into `".$tablepre."comment` (`id`,`ip`,`content`,`uid`,`commenter`,`type`,`articleId`,`createtime`) values (NULL,'".get_client_ip( ).( "','".$content."',{$vicworl_uid},{$vicworl_uid},1,{$id},'" ).time( )."')";//直接插入了,不过需要登录。感觉鸡肋了     $acCount = sql_exec( $strSQL );     if ( !( 0 < $acCount ) )     {         break;     }

注册的也是差不多的,对其中的用户输入的可控的都进行了检测
/library/global.inc.php

function login_user( $_obfuscate_7Ri3, $_obfuscate_5M�, $_obfuscate_bMTHRBOlpQ��, $_obfuscate_w02s3qQQ8NFCUw�� ) {     global $tablepre;     if ( $_obfuscate_7Ri3 == 0 )     {         return 0;     }     $_obfuscate_O7X9lw�� = get_one_column( "SELECT `password` FROM `".$tablepre."user` WHERE `uid`='{$_obfuscate_7Ri3}' AND `admin`='{$_obfuscate_w02s3qQQ8NFCUw��}'" );     if ( $_obfuscate_5M� == $_obfuscate_O7X9lw�� )     {         sql_exec( "UPDATE `".$tablepre."user` SET `ip`='".get_client_ip( ).( "' WHERE `uid`='".$_obfuscate_7Ri3."'" ) );  //好奇怪的调用,这里为何需要update存进数据库么?而且还是需要账号和密码都哦正常才可以         authsetcookie( $_obfuscate_7Ri3, $_obfuscate_5M�, $_obfuscate_bMTHRBOlpQ��, $_obfuscate_w02s3qQQ8NFCUw�� );         return 1;     }     return 0; }

而后看到对其的调用方式是
$member = login_user( $vicworl_uid, $npassword, $vicworl_expires, $vicworl_adminlevel );
说明,首先判断的是是否有uid传入,如果不为0,就对比password,如果匹配成功就直接更新数据。再调用cookie。这里太鸡肋了,我都有账号和密码了,还要咋个注入干啥。不过低权限的是可以继续的。

/library/module/user/article.php else if ( $step == "addComment" ) {     $articleId = trim( $articleId );     $ip = get_client_ip( );     $createtime = time( );     $content = trim( $content );     if ( empty( $vicworl_uid ) )     {         msg( "评论前请先登陆!", "home.php?action=article&id=".$id."&step=detail&articleId={$articleId}" );         exit( );     }     if ( !checklen( $content, 5, 1000 ) )      $tmpSTR = "";     if ( $_VCACHE['setting']['commentauditing'] == 1 )     {         $articleId *= -1;         $tmpSTR = "评论待审核后即可显示!";     }     $sql = "INSERT INTO `".$tablepre."comment` (/r/n/t/t/t/t`id` ,/r/n/t/t/t/t`ip` ,/r/n/t/t/t/t`content` ,/r/n/t/t/t/t`uid` ,/r/n/t/t/t/t`commenter` ,/r/n/t/t/t/t`type` ,/r/n/t/t/t/t`articleId` ,/r/n/t/t/t/t`createtime`/r/n/t/t/t/t)/r/n/t/t/t/tVALUES (/r/n/t/t/t/tNULL , /r/n/t/t/t/t'{$ip}', /r/n/t/t/t/t'{$content}', /r/n/t/t/t/t'{$id}', /r/n/t/t/t/t'{$vicworl_uid}', /r/n/t/t/t/t'0', /r/n/t/t/t/t'{$articleId}',/r/n/t/t/t/t'{$createtime}'/r/n/t/t/t/t)";     $count = sql_exec( $sql ); 

一样的需要登录以后才可以。但是暂时好像还没看到不需要登录的。

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: