UCenter Home2.0 鸡肋注入:
1. source/cp_friend.php 文件
elseif($op == 'group') {
if(submitcheck('groupsubmin')) {
if(empty($_POST['fuids'])) {
showmessage('please_correct_choice_groups_friend');
}
$ids = simplode($_POST['fuids']);
$groupid = intval($_POST['group']);
updatetable('friend', array('gid'=>$groupid), "uid='$_SGLOBAL[supe_uid]' AND fuid IN ($ids) AND status='1'");
friend_cache($_SGLOBAL['supe_uid']);
showmessage('do_success', $_SGLOBAL['refer']);
}
$perpage = 50;
$page = empty($_GET['page'])?1:intval($_GET['page']);
if($page<1) $page = 1;
$start = ($page-1)*$perpage;
$list = array();
$multi = '';
$space['friendnum']=1;
if($space['friendnum']) {
$groups = getfriendgroup();
$theurl = 'cp.php?ac=friend&op=group';
$group = !isset($_GET['group'])?'-1':intval($_GET['group']);
if($group > -1) {
$wheresql = "AND main.gid='$group'"; //-----??
$theurl .= "&group=$group";
}
$count = $_SGLOBAL['db']->result($_SGLOBAL['db']->query("SELECT COUNT(*) FROM ".tname('friend')." main
WHERE main.uid='$space[uid]' AND main.status='1' $wheresql"), 0);
..........................................
$wheresql变量没有初始化,在这里不能用union只能盲注了
利用方式,注册两个用户,用其中一个通过uid来加,成功后在地址栏上加wheresql='就会看到出错提示!如:cp.php?ac=friend&op=group&wheresql=' exp就麻烦看官自己动手了!
2. source\cp_album.php
.....................
if($_GET['op'] == 'edit') {
if($albumid < 1) {
showmessage('photos_do_not_support_the_default_settings', "cp.php?ac=album&op=editpic", 0);
}
$query = $_SGLOBAL['db']->query("SELECT * FROM ".tname('album')." WHERE albumid='$albumid'");
if(!$album = $_SGLOBAL['db']->fetch_array($query)) {
showmessage('no_privilege');
}
if($album['uid'] != $_SGLOBAL['supe_uid'] && !checkperm('managealbum')) {
showmessage('no_privilege');
}
if(submitcheck('editsubmit')) {
$_POST['albumname'] = getstr($_POST['albumname'], 50, 1, 1, 1);
if(empty($_POST['albumname'])) {
showmessage('album_name_errors');
}
//隐私
$_POST['friend'] = intval($_POST['friend']);
$_POST['target_ids'] = '';
if($_POST['friend'] == 2) {
//特定好友
$uids = array();
$names = empty($_POST['target_names'])?array():explode(' ', str_replace(cplang('tab_space'), ' ', $_POST['target_names']));
if($names) {
$query = $_SGLOBAL['db']->query("SELECT uid FROM ".tname('space')." WHERE username IN (".simplode($names).")");
while ($value = $_SGLOBAL['db']->fetch_array($query)) {
$uids[] = $value['uid'];
}
}
if(empty($uids)) {
$_POST['friend'] = 3;//仅自己可见
} else {
$_POST['target_ids'] = implode(',', $uids);
}
} elseif($_POST['friend'] == 4) {
//加密
$_POST['password'] = trim($_POST['password']); //-------注意
if($_POST['password'] == '') $_POST['friend'] = 0;//公开
}
if($_POST['friend'] !== 2) {
$_POST['target_ids'] = '';
}
if($_POST['friend'] !== 4) {
$_POST['password'] == '';
}
updatetable('album', array('albumname'=>$_POST['albumname'], 'friend'=>$_POST['friend'], 'password'=>$_POST['password'], 'target_ids'=>$_POST['target_ids']), array('albumid'=>$albumid));