/Lib/MessageAction.php行94
public function delMesses() { $user = $_SESSION['youyax_user']; if ($user == "" || $user == null) $this->redirect("Index" . C('default_url') . "index" . C('static_url')); for ($k = 0; $k < count($_POST['cb']); $k++) { $id = $_POST['cb'][$k]; $result = $this->find(C('db_prefix') . "message", 'string', "mto='" . $_SESSION['youyax_user'] . "' and id='" . $id . "'"); if ($result) { $this->delete(C('db_prefix') . "message", "mto='" . $_SESSION['youyax_user'] . "' and id='" . $id . "'"); } } $this->assign('jumpurl', $this->youyax_url . "/Message" . C('default_url') . "show" . C('static_url'))->assign('msgtitle', '操作成功')->assign('message', '消息已删除!')->success(); }
$id = $_POST[‘cb’][$k];未过滤直接进了$this->find(); 来看find() /ORG/YouYa.php行356 public function find($table, $ext = "string", $param) { //在 param 中寻找与给定的正则表达式 pattern 所匹配的子串 if (preg_match_all("/=/", $param, $tmp)) { $sql = "select * from " . $table . " where " . $param; } else { $param = "id=".intval($param); $sql = "select * from " . $table . " where " . $param; } $result = mysql_query($sql);
只要$parm里面有“=” 就不会intval了,这个点一样没输出 只能基于时间注入 跟 YouYaX_V5.47 SQL注入 漏洞(官网躺枪) http://www.2cto.com/Article/201407/320189.html 一样 附送一个鸡肋的本地文件包含 /ORG/YouYa.php 行107 private function deal($tp) { if (isset($_COOKIE['youyax_lang'])) { $this->lang = require("lang/" . $_COOKIE['youyax_lang'] . "/lang.php"); //不太安全吧 $this->array_array['lang'] = $this->lang;
在当前mysql用户有file权限 但是对web目录不可写的情况下,可以用注入写一个lang.php到/tmp 然后设置cookie youyax_lang为../../../tmp 就可以成功包含shell了 POST http://bbs.youyax.com/Message-delMesses. aspx HTTP/1.1 Host: bbs.youyax.com dropdown=del&cb[]=1′ 就能看到报错信息 具体注入方法与 YouYaX_V5.47 SQL注入漏洞(官网躺枪) http://www.2cto.com/Article/201407/320189. html 一致就不用sqlmap来演示了 修复方案: 别漏了 |
-
上一篇: YiDaCms v3.2 sql注入+逻辑错误 – 网站安全 – 自学ph
下一篇: 代码审计:eyou(亿邮)邮件系统两个getshell和两个有
评论前必须登录!
立即登录