Vicworl过滤不严造成注入

因为get_client_ip()是直接取值的

function get_client_ip( )
{
				if ( getenv( "HTTP_CLIENT_IP" ) )
				{
								$_obfuscate_Xiw36fNBySKi = getenv( "HTTP_CLIENT_IP" );
								return $_obfuscate_Xiw36fNBySKi;
				}
				if ( getenv( "HTTP_X_FORWARDED_FOR" ) )
				{
								$_obfuscate_Xiw36fNBySKi = getenv( "HTTP_X_FORWARDED_FOR" );
								return $_obfuscate_Xiw36fNBySKi;
				}
				if ( getenv( "REMOTE_ADDR" ) )
				{
								$_obfuscate_Xiw36fNBySKi = getenv( "REMOTE_ADDR" );
								return $_obfuscate_Xiw36fNBySKi;
				}
				$_obfuscate_Xiw36fNBySKi = $_obfuscate_JcJqqO21rjSw7UE886oo['REMOTE_ADDR'];
				return $_obfuscate_Xiw36fNBySKi;
}

然后出现在文件/ajax.php、register.php、/library/global.inc.php、/library/module/user/article.php、/library/module/user/leaveword.php文件里面
其中的
/ajax.php

case "AddVideoComment" :
				if ( empty( $vicworl_uid ) )
				{
								echo "<script>alert('请先登陆!');</script>";
								exit( );
				}
		......................		
				if ( $_VCACHE['setting']['commentauditing'] == 1 )
				{
								$id *= -1;
								$tmpSTR = "评论成功!待审核后即可显示!";
				}
				$strSQL = "insert into `".$tablepre."comment` (`id`,`ip`,`content`,`uid`,`commenter`,`type`,`articleId`,`createtime`) values (NULL,'".get_client_ip( ).( "','".$content."',{$vicworl_uid},{$vicworl_uid},1,{$id},'" ).time( )."')";//直接插入了,不过需要登录。感觉鸡肋了
				$acCount = sql_exec( $strSQL );
				if ( !( 0 < $acCount ) )
				{
								break;
				}

注册的也是差不多的,对其中的用户输入的可控的都进行了检测
/library/global.inc.php

function login_user( $_obfuscate_7Ri3, $_obfuscate_5M�, $_obfuscate_bMTHRBOlpQ��, $_obfuscate_w02s3qQQ8NFCUw�� )
{
				global $tablepre;
				if ( $_obfuscate_7Ri3 == 0 )
				{
								return 0;
				}
				$_obfuscate_O7X9lw�� = get_one_column( "SELECT `password` FROM `".$tablepre."user` WHERE `uid`='{$_obfuscate_7Ri3}' AND `admin`='{$_obfuscate_w02s3qQQ8NFCUw��}'" );
				if ( $_obfuscate_5M� == $_obfuscate_O7X9lw�� )
				{
								sql_exec( "UPDATE `".$tablepre."user` SET `ip`='".get_client_ip( ).( "' WHERE `uid`='".$_obfuscate_7Ri3."'" ) );  //好奇怪的调用,这里为何需要update存进数据库么?而且还是需要账号和密码都哦正常才可以
								authsetcookie( $_obfuscate_7Ri3, $_obfuscate_5M�, $_obfuscate_bMTHRBOlpQ��, $_obfuscate_w02s3qQQ8NFCUw�� );
								return 1;
				}
				return 0;
}

而后看到对其的调用方式是
$member = login_user( $vicworl_uid, $npassword, $vicworl_expires, $vicworl_adminlevel );
说明,首先判断的是是否有uid传入,如果不为0,就对比password,如果匹配成功就直接更新数据。再调用cookie。这里太鸡肋了,我都有账号和密码了,还要咋个注入干啥。不过低权限的是可以继续的。

/library/module/user/article.php
else if ( $step == "addComment" )
{
				$articleId = trim( $articleId );
				$ip = get_client_ip( );
				$createtime = time( );
				$content = trim( $content );
				if ( empty( $vicworl_uid ) )
				{
								msg( "评论前请先登陆!", "home.php?action=article&id=".$id."&step=detail&articleId={$articleId}" );
								exit( );
				}
				if ( !checklen( $content, 5, 1000 ) )

				$tmpSTR = "";
				if ( $_VCACHE['setting']['commentauditing'] == 1 )
				{
								$articleId *= -1;
								$tmpSTR = "评论待审核后即可显示!";
				}
				$sql = "INSERT INTO `".$tablepre."comment` (\r\n\t\t\t\t`id` ,\r\n\t\t\t\t`ip` ,\r\n\t\t\t\t`content` ,\r\n\t\t\t\t`uid` ,\r\n\t\t\t\t`commenter` ,\r\n\t\t\t\t`type` ,\r\n\t\t\t\t`articleId` ,\r\n\t\t\t\t`createtime`\r\n\t\t\t\t)\r\n\t\t\t\tVALUES (\r\n\t\t\t\tNULL , \r\n\t\t\t\t'{$ip}', \r\n\t\t\t\t'{$content}', \r\n\t\t\t\t'{$id}', \r\n\t\t\t\t'{$vicworl_uid}', \r\n\t\t\t\t'0', \r\n\t\t\t\t'{$articleId}',\r\n\t\t\t\t'{$createtime}'\r\n\t\t\t\t)";
				$count = sql_exec( $sql );

一样的需要登录以后才可以。但是暂时好像还没看到不需要登录的。

发表评论