PHPSHE 二次注入一枚

2015-10-07T00:00:00
ID SSV:94727
Type seebug
Reporter Root
Modified 2015-10-07T00:00:00

Description

简要描述:

rt

详细说明:

case 'register': if (isset($_p_pesubmit)) { if($db->pe_num('user', array('user_name'=>pe_dbhold($_g_user_name)))) pe_error('用户名已存在...'); if($db->pe_num('user', array('user_email'=>pe_dbhold($_g_user_email)))) pe_error('邮箱已存在...'); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); $sql_set['user_email'] = $_p_user_email; $sql_set['user_ip'] = pe_ip(); $sql_set['user_atime'] = $sql_set['user_ltime'] = time(); if ($user_id = $db->pe_insert('user', pe_dbhold($sql_set))) { add_pointlog($user_id, 'reg', $cache_setting['point_reg'], '注册帐号'); $info = $db->pe_select('user', array('user_id'=>$user_id)); $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name']; $_SESSION['pe_token'] = pe_token_set($_SESSION['user_idtoken']); //未登录时的购物车列表入库 if (is_array($cart_list = unserialize($_c_cart_list))) { foreach ($cart_list as $k => $v) { $cart_info['cart_atime'] = time(); $cart_info['product_id'] = $k; $cart_info['product_num'] = $v['product_num']; $cart_info['user_id'] = $info['user_id']; $db->pe_insert('cart', pe_dbhold($cart_info));

用户注册时 ,进行了转义, 然后登入时将完整的值带入了session

case 'login': if (isset($_p_pesubmit)) { $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); if ($info = $db->pe_select('user', pe_dbhold($sql_set))) { $db->pe_update('user', array('user_id'=>$info['user_id']), array('user_ltime'=>time())); if (!$db->pe_num('pointlog', " and `user_id` = '{$info['user_id']}' and `pointlog_type` = 'reg' and `pointlog_text` = '登录帐号' and `pointlog_atime` >= '".strtotime(date('Y-m-d'))."'")) { add_pointlog($info['user_id'], 'reg', $cache_setting['point_login'], '登录帐号'); } $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name'];

在 D:/wamp/www/module/index/order.php出库了

case 'comment': $order_id = pe_dbhold($_g_id); $info = $db->pe_select('order', array('order_id'=>$order_id, 'user_id'=>$_s_user_id)); if (!$info['order_id']) pe_error('参数错误...'); $info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id)); if (isset($_p_pesubmit)) { pe_token_match(); if ($info['order_comment']) pe_error('请勿重复评价...'); foreach ($info_list as $k=>$v) { $sql_set[$k]['comment_star'] = intval($_p_comment_star[$v['product_id']]); $sql_set[$k]['comment_text'] = pe_dbhold($_p_comment_text[$v['product_id']]); $sql_set[$k]['comment_atime']= time(); $sql_set[$k]['product_id'] = $v['product_id']; $sql_set[$k]['order_id'] = $order_id; $sql_set[$k]['user_ip'] = pe_dbhold(pe_ip()); $sql_set[$k]['user_id'] = $_s_user_id; $sql_set[$k]['user_name'] = $_s_user_name; if (!$sql_set[$k]['comment_text']) pe_error('评价内容必须填写...'); } if ($db->pe_insert('comment', $sql_set)) { order_callback('comment', $order_id); pe_success('评价成功!');

我们注册个用户 aaaaaaa' ,购买商品后评价,可以看到 单引号带入了。

<img src="https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201509/1605551476d610488f338f99b9cb11b7cdb6e46d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

盲注。