Z-Blog PHP版之三低权限管理员POST注入

2013-09-24T00:00:00
ID SSV:96197
Type seebug
Reporter Root
Modified 2013-09-24T00:00:00

Description

简要描述:

注册个评论者账号就能注到管理员

详细说明:

木有找到你们接受POST变量的函数在哪,所以认为问题出在/zb_system/function/lib/dbsql.php

public function ParseWhere($where){ global $zbp; $sqlw=null; if(!empty($where)) { $sqlw .= ' WHERE '; $comma = ''; foreach($where as $k => $w) { $eq=$w[0]; if($eq=='='|$eq=='<'|$eq=='>'|$eq=='LIKE'|$eq=='<>'|$eq=='!='){ $x = (string)$w[1]; $y = (string)$w[2]; $y = $zbp->db->EscapeString($y); $sqlw .= $comma . " $x $eq '$y' "; } if($eq=='BETWEEN'){ $b1 = (string)$w[1]; $b2 = (string)$w[2]; $b3 = (string)$w[3]; $sqlw .= $comma . " $b1 BETWEEN '$b2' AND '$b3' "; } if($eq=='search'){ $j=count($w); $sql_search=''; $c=''; for ($i=1; $i <= $j-1-1; $i++) { $x=(string)$w[$i]; $y=(string)$w[$j-1]; $y=$zbp->db->EscapeString($y); $y=$w[$j-1]; $sql_search .= $c . " ($x LIKE '%$y%') "; $c='OR'; } $sqlw .= $comma . '(' . $sql_search . ')'; } if($eq=='array'){ $c=''; $sql_array=''; if(!is_array($w[1]))continue; if(count($w[1])==0)continue; foreach ($w[1] as $x=>$y) { $y[1]=$zbp->db->EscapeString($y[1]); $sql_array .= $c . " $y[0]='$y[1]' "; $c='OR'; } $sqlw .= $comma . '(' . $sql_array . ')'; } if($eq=='custom'){ $sqlw .= $comma . '(' . $w[1] . ')'; } $comma = 'AND'; } } echo $sqlw;//顺便把SQL语句ehco 出来,你们的拼接写得好蛋疼 return $sqlw; }

<img src="https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

注入方法的利用和这个一样 WooYun: Z-Blog的php版前台正则SQL盲注漏洞 ,拿sqlmap跑一下就出来了

漏洞证明:

<img src="https://images.seebug.org/upload/201309/24122032c561068e338545038ee1e4e150fd9873.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">