|
后台登陆界面存在检查功能,不安全取值导致的SQL注入。
/controller/controller_class.php
public function check()
{
$this->safebox = Safebox::getInstance();
$this->title='后台登录';
$code = $this->safebox->get($this->captchaKey);
if($code != strtolower(Req::args($this->captchaKey)))
{
$this->msg='验证码错误!';
$this->layout = "";
$this->redirect('login',false);
}
else
{
$manager = new Manager(Req::args('name'),Req::args('password'));
$this->msg='验证码错误!';
if($manager->getStatus() == 'online')
{
$back = Req::args('callback');
$model = new Model("manager");
$model->data(array('last_ip'=>Chips::getIP(),'last_login'=>date("Y-m-d H:i:s")))->where("id=".$manager->id)->update();
//这里有一个getIP函数,跟入。
if($back === null) $back = $this->defaultAction;
$this->redirect($back,true);
}
else
{
$this->msg='用户名或者密码错误';
$this->layout = "";
$this->redirect('login',false);
}
}
}
getip函数跟进。 /framework/lib/util/chips_class.php public static function getIP() { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))$ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; elseif (isset($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"]; elseif (isset($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"]; elseif (getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR"); elseif (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP"); elseif (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR"); else $ip = "Unknown"; return $ip; } 直接获取了$_SERVER["HTTP_X_FORWARDED_FOR"],gpc也没用了。导致了注入。我输出语句演示。
修复方案:获取转义 |
-
上一篇: easysite内容管理系统某简单粗暴的SQL注入 - 网站安
下一篇: PageAdmin可绕过验证伪造任意用户身份登录(前台
还没有人抢沙发呢~