Thinksaas SQL注入漏洞

2013-12-23T00:00:00
ID SSV:94309
Type seebug
Reporter Root
Modified 2013-12-23T00:00:00

Description

简要描述:

Thinksaas SQL注入#5

详细说明:

Thinksaas SQL注入#5 积分兑换——物品编辑处,sql注入。 第一处:/app/redeem/action/edit.php

``` case "do":

    $goodsid = intval($_POST['goodsid']);
    $cateid = intval($_POST['cateid']);
    $title = trim($_POST['title']);//问题在这里
    $content = trim($_POST['content']);//问题在这里
    $nums = intval($_POST['nums']);
    $scores = intval($_POST['scores']);
    $return = intval($_POST['return']);

    $new['redeem']->update('redeem_goods',array(
        'goodsid'=>$goodsid,
    ),array(
        'cateid'=>$cateid,
        'title'=>$title,//问题在这里
        'content'=>$content,//问题在这里
        'nums'=>$nums,
        'scores'=>$scores,
        'return'=>$return,
    ));

```

这里没有过滤,进入update:

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key} = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $vals [] = "$key` = '$value'"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

    return $this->db->query ( $sql );
}

```

也没有过滤row的内容,导致我们的输入进入sql语句,造成注入。

漏洞证明:

新看看正常的积分兑换物品:

<img src="https://images.seebug.org/upload/201312/2311241693cc61ffbb5707be80db63e3448d420c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

编辑物品,输入如下:

<img src="https://images.seebug.org/upload/201312/23112431ad805bb912dcc6cb8c192b82bb211250.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

修改后,看看结果:

<img src="https://images.seebug.org/upload/201312/2311244673b9d0199b82a83fe0ba6fabba8c475e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

ok