漏洞代码(ad_js.php) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 <?php define('IN_BLUE' , true ); require_once dirname(__FILE__ ) . '/include/common.inc.php' ;$ad_id = !empty ($_GET['ad_id' ]) ? trim($_GET['ad_id' ]) : '' ; if (empty ($ad_id)){ echo 'Error!' ; exit (); } $ad = $db->getone("SELECT * FROM " .table('ad' )." WHERE ad_id =" .$ad_id); if ($ad['time_set' ] == 0 ){ $ad_content = $ad['content' ]; } else { if ($ad['end_time' ] < time()) { $ad_content = $ad['exp_content' ]; } else { $ad_content = $ad['content' ]; } } $ad_content = str_replace('"' , '\"' ,$ad_content); $ad_content = str_replace("\r" , "\\r" ,$ad_content); $ad_content = str_replace("\n" , "\\n" ,$ad_content); echo "<!--\r\ndocument.write(\"" .$ad_content."\");\r\n-->\r\n" ;?>
该代码判断ad_id值是否为空,不为空就对传入的ad_id值进行trim()去除头尾空格1 $ad_id = !empty($_GET['ad_id' ]) ? trim ($_GET['ad_id' ]) : '' ;
然后直接把传入的ad_id值,拼接进SQL语句中,进行查询1 $ad = $db ->getone("SELECT * FROM " .table('ad' )." WHERE ad_id =" .$ad_id );
因此存在SQL注入漏洞,用户可以构造SQL联合查询语句查询其他信息
example 1 http://localhost/cms/ad_js.php?ad_id=1 and 1=2 union select 1 ,2 ,3 ,4 ,5 ,concat (admin_name,0x7C0D0A ,pwd),concat (admin_name,0x7C0D0A ,pwd) from blue_admin where admin_id=1
代码修复方案 1 $ad_id = !empty ($_GET['ad_id' ]) ? intval($_GET['ad_id' ]) : '' ;
对用户输入的ad_id进行整数化
原文链接:BlueCMS v1.6 sp1 ad_js.php SQL注入漏洞
