网站地图    收藏   

主页 > 后端 > 网站安全 >

YouYaX某处SQL注入及修复方案 - 网站安全 - 自学p

来源:自学PHP网    时间:2015-04-16 23:15 作者: 阅读:

[导读] ext register php 文件当($mix[ 39;is_prevent_reg 39;]为true时if($mix[ 39;is_prevent_reg 39;]){if (!empty($_SERVER[ 39;HTTP_CLIENT_IP 39;])) $myIp = $_SERVER[ 39;HTTP_CLIE...

/ext/register.php 文件
 
 
 
当($mix['is_prevent_reg']为true时
 
if($mix['is_prevent_reg']){

if (!empty($_SERVER['HTTP_CLIENT_IP']))

        $myIp = $_SERVER['HTTP_CLIENT_IP'];

    else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))

        $myIp = $_SERVER['HTTP_X_FORWARDED_FOR'];

    else

        $myIp = $_SERVER['REMOTE_ADDR'];

    $sql    = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'";

    $result = mysql_query($sql);

    $num    = mysql_num_rows($result);

 

 
 
可以伪造IP进行注入,因为不回显应该是用延时注入比较合适.
 
这里echo 出sql语句做一下漏洞证明
 
 
为了管理员复现漏洞方便(该CMS还要配置邮件服务器,我注释这些代码)
 
复制了我的代码上来你复现直接粘贴上去就可以了
 
<?php

include('../ext_public/include.php');

include('../ext_public/database.php');

function doUserCount($param){

$count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1"));

$data=unserialize($count_arr['user_count']);

$date=date('w', time());

$date2=date('W',time());

if($date2 != $count_arr['week_order']){

   mysql_query("update " . $param . "count set user_count='',post_count='',week_order='".$date2."' where id=1");

   $count_arr = mysql_fetch_array(mysql_query("select * from " . $param . "count where id=1"));

$data=unserialize($count_arr['user_count']);

}

switch($date){

case 0:

@$data['g']++;

break;

case 1:

@$data['a']++;

break;

case 2:

@$data['b']++;

break;

case 3:

@$data['c']++;

break;

case 4:

@$data['d']++;

break;

case 5:

@$data['e']++;

break;

case 6:

@$data['f']++;

break;

}

   mysql_query("update " . $param . "count set user_count='".serialize($data)."' where id=1");

}

if (isset($_POST['sub'])) {

if(empty($config['default_user_group'])||empty($config['not_log_in_user_group'])){

     echo "<script>alert('请至后台[注册激活管理-配置]设置注册和未登陆默认用户组');</script>";

     exit;

    }

    $user = htmlspecialchars(addslashes(trim($_POST['user'])), ENT_QUOTES, "UTF-8");

    if(mb_strlen($user,'utf8')>7 || mb_strlen($user,'utf8')<2){

     echo "<script>alert('用户名长度必须在2~7个字符之间');</script>";

      echo "<script>window.parent.location.href='" . url_site . "';</script>";

      exit;

    }

    if (empty($_POST['pass'])) {

        echo "<script>alert('密码必填');</script>";

        echo "<script>window.parent.location.href='" . url_site . "';</script>";

        exit;

    }

    $pass = md5(addslashes($_POST['pass']));

    $_POST['email']=addslashes($_POST['email']);

    if (empty($_POST['email'])) {

        echo "<script>alert('邮箱名必填');</script>";

        echo "<script>window.parent.location.href='" . url_site . "';</script>";

        exit;

    }

if($mix['is_prevent_reg']){

if (!empty($_SERVER['HTTP_CLIENT_IP']))

        $myIp = $_SERVER['HTTP_CLIENT_IP'];

    else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))

        $myIp = $_SERVER['HTTP_X_FORWARDED_FOR'];

    else

        $myIp = $_SERVER['REMOTE_ADDR'];

    $sql    = "select * from " . $config['db_prefix'] . "user where ip_addr='" . $myIp . "'";

    $result = mysql_query($sql);

    var_dump($sql);

    $num    = mysql_num_rows($result);

   if($num >= $mix['prevent_reg_num']){

    echo "<script>alert('注册失败,此IP地址已经使用超过 ".$mix['prevent_reg_num']." 次了');</script>";

     echo "<script>window.parent.location.href='" . url_site . "';</script>";

     exit;

   }

}

    $code = '';

    for ($i = 0; $i < 6; $i++) {

        $code .= mt_rand(0, 9);

    }



    if($config['register_mode']==1){

/*     $mailconf = require("../Conf/mail.config.php");

   if(empty($mailconf['mail_Host'])&&empty($mailconf['mail_Username'])&&empty($mailconf['mail_Password'])){

    echo "<script>alert('管理员后台未配置邮件服务器');</script>";

    exit;

   }*/

    }



    mysql_query("SET NAMES 'utf8'");

    mysql_query("SET sql_mode=''");

    date_default_timezone_set('Asia/Shanghai');

    $sql    = "select * from " . $config['db_prefix'] . "user where user='" . $user . "'";

    $result = mysql_query($sql);

    $num    = mysql_num_rows($result);

    //判断是否被注册

    if ($num > 0) {

        echo "<script>alert('该用户名已被注册');</script>";

        echo "<script>window.parent.location.href='" . url_site . "';</script>";

    } else {

        $sql2    = "select * from " . $config['db_prefix'] . "user where email='" . $_POST['email'] . "'";

        $result2 = mysql_query($sql2);

        $num2    = mysql_num_rows($result2);

        if ($num2 > 0) {

            echo "<script>alert('邮箱名已被注册');</script>";

            echo "<script>window.parent.location.href='" . url_site . "';</script>";

            exit;

        } else {

        if($config['register_mode']==1){

/*            require_once("../ext_public/phpmailer/class.phpmailer.php");

            $mail     = new PHPMailer();

            $mail->IsSMTP();

            $mail->Host     = $mailconf['mail_Host'];

            $mail->SMTPAuth = true;

            $mail->Username = $mailconf['mail_Username'];

            $mail->Password = $mailconf['mail_Password'];

            $mail->From     = $mailconf['mail_From'];

            $mail->FromName = $mailconf['mail_FromName'];

            $mail->AddAddress($_POST['email']);

            $mail->IsHTML(true);

            $mail->CharSet  = "UTF-8";

            $mail->Encoding = "base64";

            $mail->Subject  = $mailconf['mail_Subject'];

            $mail->Body     = $mailconf['mail_Body'] . "<a href='" . url_site . "/ext/mail_active.php?user=" . $user . "&pass=" . $pass . "&email=" . $_POST['email'] . "&code=" . $code . "'>点此激活</a>";

            if (!empty($_POST['email'])) {

                exit;

            }*/

            if($mix['is_prevent_reg']){

             $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$myIp."','".$config['default_user_group']."')";

            }else{

             $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',0,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','" . $code . "','".$config['default_user_group']."')";

            }

            mysql_query($sql);

            doUserCount($config['db_prefix']);

            echo "<script>alert('注册成功,请至邮箱激活!');</script>";

            echo "<script>window.parent.location.href='" . url_site . "';</script>";

        }else{

      if(addslashes($_POST['valicode'])!=$_SESSION['verify']){

      echo "<script>alert('输入的验证码不正确!');</script>";

      exit;

      }else{

      if($mix['is_prevent_reg']){

      $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,ip_addr,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$myIp."','".$config['default_user_group']."')";

      }else{

          $sql = "insert into " . $config['db_prefix'] . "user(user,pass,status,email,complete,face,time,fatieshu,bid,codes,user_group) values('" . $user . "','" . $pass . "',1,'" . $_POST['email'] . "','0','00.gif',now(),0,'".$mix['bid_init']."','". $code . "','".$config['default_user_group']."')";



                }

         mysql_query($sql);

         doUserCount($config['db_prefix']);

         echo "<script>alert('注册成功!');</script>";

         $_SESSION['youyax_data'] = 1;

         $_SESSION['youyax_user'] = $user;

         $_SESSION['youyax_bz']   = 1;

         echo "<script>window.parent.location.href='" . url_site . "';</script>";

      }

        }

      }

    }

}

?>

 

修复方案:
对IP正则判断

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论