二次注入 php,yxcms二次注入漏洞

[php]/protected/apps/member/controller/photoController.php

$data['account']=$this->mesprefix.$this->auth['account'];

$data['sort']=$_POST['sort'];//从这里入口

$data['exsort']=empty($_POST['exsort'])?'':implode(',',$_POST['exsort']);

$data['title']=in($_POST['title']);

$data['keywords']=in($_POST['keywords']);

$data['picture']=$_POST['picture'];

$data['description']=in($_POST['description']);

$data['content']=in($_POST['content']);

$data['method']='photo/content';

$data['tpcontent']=in($_POST['tpcontent']);

$data['ispass']=0;

$data['recmd']=0;

$data['hits']=0;

$data['norder']=0;

$data['addtime']=time();

// if (empty($data['description'])) {

// $data['description']=in(substr(deletehtml($_POST['content']), 0, 250)); //自动提取描述

// }

// if(empty($data['keywords'])){

// $data['keywords']= $this->getkeyword($data['title'].$data['description']); //自动获取中文关键词

// if(empty($data['keywords'])) $data['keywords']=str_replace(' ',',',$data['description']);//非中文

// }

// if($_POST['iftag']) {

// $iftag = $this->crtags($data['keywords']);

// if(!$iftag) $this->alert('标签生成失败~');

// }

if(!empty($_POST['photolist']))

$data['photolist']=implode(',',$_POST['photolist']);

if(!empty($_POST['conlist']))

$data['conlist']=implode(',',in($_POST['conlist']));

if(model('photo')->insert($data))

$this->success('图集添加成功~',url('photo/index'));

else $this->error('图集添加失败');

[/php]

ps:发布news的文件同样也存在这类问题。需求等待管理通过发布的商品，但是是看不到有什么异常的。

恶意代码插入数据库后,看看那里会调用sort的数据

/protected/apps/default/controller/columnController.php

[php]

public function content()

{

$ename=in($_GET['col']);

$id=intval($_GET['id']);

if(empty($ename) || empty($id)) throw new Exception('参数错误~', 404);

$this->col=$ename;

$sortinfo=model('sort')->find("ename='{$ename}'",'type');

switch ($sortinfo['type']) {

case 1://文章

$this->newscon($ename,$id);

break;

case 2://图集

$this->photocon($id);

break;

default:

throw new Exception('此类型下没有内容~', 404);

break;

}

}

[/php]

从content函数进来,因为发的是图集,所以跟进photocon函数

[php]protected function photocon($id)

{

$info=model('photo')->find("id='{$id}' and ispass='1'");

if(empty($info)) throw new Exception('内容不存在~', 404);

$info['exsort']=explode(',', $info['exsort']);

$page = new Page();

$info['content']=$info['content'] = $page->contentPage(html_out($info['content']), '',$url,10,4); //文章分页

model('photo')->update("id='$id'","hits=hits+1");//点击

if(!empty($info['conlist'])) $titar=explode(',',$info['conlist']);

if(!empty($info['photolist'])){

$phoar=explode(',',$info['photolist']);

$cont=sizeof($phoar);

for($i=0;$i

$photolist[$i]['picture']=$phoar[$i];

$photolist[$i]['tit']=$titar[$i];

//$tit.="'

$titar[$i]

',";

//$sphoto.="'".__ROOT__."/upload/photos/thumb_$phoar[$i]',";

//$bphoto.="'".__ROOT__."/upload/photos/$phoar[$i]',";

}

$this->photolist=$photolist;

$this->num=$cont;

//$this->assign(tit,substr($tit,0,-1));

//$this->assign(sphoto,substr($sphoto,0,-1));

//$this->assign(bphoto,substr($bphoto,0,-1));

}

//获取拓展数据

$sortid=substr($info['sort'],-6,6);//这里被限制了长度 不能注入

$tabid=model('sort')->find("id='{$sortid}'",'extendid');//获取拓展表

....省略

$crumbs=$this->crumbs($info['sort']);//这里导致了注入

.....

跟进crumbs函数看一下

protected function crumbs($path=',000000')

{

$crumb=array();

if(strlen($path)>7){

$ids=substr($path,8);//这里可以完整带入注入语句

$crumb=model('sort')->select("id IN($ids)",'id,type,name,ename,method,url,extendid','deep');

foreach ($crumb as $key=>$vo){

$crumb[$key]['url']=getURl($vo['type'],$vo['method'],$vo['url'],$vo['id'],$vo['extendid'],$vo['ename']);

}

}

return $crumb;

}[/php]